Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 07:20

General

  • Target

    2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe

  • Size

    24.3MB

  • MD5

    35937438978a3dcd558ce62f7391cf3c

  • SHA1

    85a18dd06dc2e9dc8849c71851d29020d6d02d2c

  • SHA256

    c133b2c20c0bc18a9d6d8c1bb9be82b52b776b6e83df1bd29a5519969c11524c

  • SHA512

    da9a6a1eb2a78f4008087e093a931c31237feb9089663963b00be5a29c9ab262f3598f643d36698cefc70779848baebf5607ea0d644fb6dd8c5c654bd94da27c

  • SSDEEP

    196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018/Im:VPboGX8a/jWWu3cI2D/cWcls1H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 61 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2812
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2440
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2620
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:2392
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2944
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:812
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1164
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2204
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1688
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:812
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1408
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2336
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:528
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1216
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2944
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 2a0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1208
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:3036
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 284 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 2b8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2696
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:836
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1944
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1752
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 208 -NGENProcess 1e4 -Pipe 200 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2108
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2548
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:976
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:860
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:972
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 258 -Pipe 230 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1708
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 260 -Pipe 1bc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2696
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1052
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1956
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1752
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1984
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2460
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
      2⤵
        PID:1088
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e4 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:2412
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
        2⤵
          PID:720
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          PID:2992
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 290 -Comment "NGen Worker Process"
          2⤵
            PID:2840
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
            2⤵
            • Loads dropped DLL
            • Drops file in Windows directory
            PID:1768
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
            2⤵
              PID:576
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 208 -NGENProcess 274 -Pipe 1e4 -Comment "NGen Worker Process"
              2⤵
              • Loads dropped DLL
              • Drops file in Windows directory
              PID:1712
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2ac -Pipe 288 -Comment "NGen Worker Process"
              2⤵
                PID:1728
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
                2⤵
                • Loads dropped DLL
                PID:1840
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 2a8 -Pipe 208 -Comment "NGen Worker Process"
                2⤵
                  PID:2104
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
                  2⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:860
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 26c -Pipe 2b0 -Comment "NGen Worker Process"
                  2⤵
                    PID:2648
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
                    2⤵
                    • Loads dropped DLL
                    • Drops file in Windows directory
                    PID:2708
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 28c -Comment "NGen Worker Process"
                    2⤵
                      PID:1208
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"
                      2⤵
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      PID:1120
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c0 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
                      2⤵
                        PID:2816
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2b4 -Comment "NGen Worker Process"
                        2⤵
                        • Loads dropped DLL
                        • Drops file in Windows directory
                        PID:1008
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2a4 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"
                        2⤵
                          PID:1708
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"
                          2⤵
                          • Loads dropped DLL
                          • Drops file in Windows directory
                          PID:2664
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
                          2⤵
                            PID:2400
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 26c -NGENProcess 2bc -Pipe 2d4 -Comment "NGen Worker Process"
                            2⤵
                            • Loads dropped DLL
                            • Drops file in Windows directory
                            PID:928
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2bc -NGENProcess 2c4 -Pipe 2a4 -Comment "NGen Worker Process"
                            2⤵
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:2188
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
                            2⤵
                              PID:1636
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
                              2⤵
                                PID:1088
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
                                2⤵
                                  PID:1604
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d0 -Pipe 294 -Comment "NGen Worker Process"
                                  2⤵
                                    PID:1164
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 26c -Comment "NGen Worker Process"
                                    2⤵
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:808
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
                                    2⤵
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:2840
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2fc -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"
                                    2⤵
                                      PID:2104
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e4 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
                                      2⤵
                                      • Loads dropped DLL
                                      • Drops file in Windows directory
                                      PID:2348
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 2c4 -Comment "NGen Worker Process"
                                      2⤵
                                        PID:2696
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2fc -Pipe 2d0 -Comment "NGen Worker Process"
                                        2⤵
                                          PID:764
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"
                                          2⤵
                                            PID:928
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"
                                            2⤵
                                              PID:1736
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
                                              2⤵
                                                PID:2408
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
                                                2⤵
                                                  PID:1652
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 304 -Comment "NGen Worker Process"
                                                  2⤵
                                                    PID:2364
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"
                                                    2⤵
                                                      PID:1436
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 324 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
                                                      2⤵
                                                        PID:696
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 308 -Pipe 2bc -Comment "NGen Worker Process"
                                                        2⤵
                                                          PID:2600
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"
                                                          2⤵
                                                            PID:1492
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"
                                                            2⤵
                                                              PID:972
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"
                                                              2⤵
                                                                PID:2284
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
                                                                2⤵
                                                                  PID:1580
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f4 -Pipe 324 -Comment "NGen Worker Process"
                                                                  2⤵
                                                                    PID:1068
                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 340 -NGENProcess 308 -Pipe 33c -Comment "NGen Worker Process"
                                                                    2⤵
                                                                      PID:2428
                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
                                                                      2⤵
                                                                        PID:696
                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f4 -Pipe 330 -Comment "NGen Worker Process"
                                                                        2⤵
                                                                          PID:904
                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
                                                                          2⤵
                                                                            PID:2104
                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"
                                                                            2⤵
                                                                              PID:972
                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f4 -Pipe 30c -Comment "NGen Worker Process"
                                                                              2⤵
                                                                                PID:2284
                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 354 -NGENProcess 350 -Pipe 308 -Comment "NGen Worker Process"
                                                                                2⤵
                                                                                  PID:940
                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 340 -NGENProcess 2f4 -Pipe 344 -Comment "NGen Worker Process"
                                                                                  2⤵
                                                                                    PID:1724
                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 348 -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"
                                                                                    2⤵
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Windows directory
                                                                                    PID:1632
                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
                                                                                    2⤵
                                                                                      PID:2452
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 2f4 -Pipe 318 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                        PID:2656
                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"
                                                                                        2⤵
                                                                                          PID:2216
                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"
                                                                                          2⤵
                                                                                            PID:976
                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f4 -Pipe 35c -Comment "NGen Worker Process"
                                                                                            2⤵
                                                                                              PID:884
                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"
                                                                                              2⤵
                                                                                                PID:2244
                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"
                                                                                                2⤵
                                                                                                  PID:2972
                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 374 -NGENProcess 384 -Pipe 378 -Comment "NGen Worker Process"
                                                                                                  2⤵
                                                                                                    PID:2764
                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 354 -Pipe 36c -Comment "NGen Worker Process"
                                                                                                    2⤵
                                                                                                      PID:1504
                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 388 -NGENProcess 37c -Pipe 350 -Comment "NGen Worker Process"
                                                                                                      2⤵
                                                                                                        PID:1096
                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 384 -Pipe 370 -Comment "NGen Worker Process"
                                                                                                        2⤵
                                                                                                          PID:2216
                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 368 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"
                                                                                                          2⤵
                                                                                                            PID:936
                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 398 -NGENProcess 384 -Pipe 394 -Comment "NGen Worker Process"
                                                                                                            2⤵
                                                                                                              PID:2944
                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
                                                                                                              2⤵
                                                                                                                PID:1852
                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"
                                                                                                                2⤵
                                                                                                                  PID:1768
                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 354 -Comment "NGen Worker Process"
                                                                                                                  2⤵
                                                                                                                    PID:2764
                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 37c -Pipe 2f4 -Comment "NGen Worker Process"
                                                                                                                    2⤵
                                                                                                                      PID:972
                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
                                                                                                                      2⤵
                                                                                                                        PID:1708
                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 37c -Pipe 398 -Comment "NGen Worker Process"
                                                                                                                        2⤵
                                                                                                                          PID:2696
                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 3a0 -Comment "NGen Worker Process"
                                                                                                                          2⤵
                                                                                                                            PID:936
                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 314 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"
                                                                                                                            2⤵
                                                                                                                              PID:2164
                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 3bc -NGENProcess 368 -Pipe 384 -Comment "NGen Worker Process"
                                                                                                                              2⤵
                                                                                                                                PID:2532
                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 390 -Comment "NGen Worker Process"
                                                                                                                                2⤵
                                                                                                                                  PID:2636
                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 37c -Pipe 3a8 -Comment "NGen Worker Process"
                                                                                                                                  2⤵
                                                                                                                                    PID:1480
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 368 -Pipe 3b4 -Comment "NGen Worker Process"
                                                                                                                                    2⤵
                                                                                                                                      PID:2904
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 3ac -Comment "NGen Worker Process"
                                                                                                                                      2⤵
                                                                                                                                        PID:368
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 37c -Pipe 314 -Comment "NGen Worker Process"
                                                                                                                                        2⤵
                                                                                                                                          PID:2156
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 368 -Pipe 3bc -Comment "NGen Worker Process"
                                                                                                                                          2⤵
                                                                                                                                            PID:940
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b8 -Pipe 3c0 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                              PID:2596
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b8 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1064
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c4 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1348
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3e8 -Pipe 3b8 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1708
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b0 -NGENProcess 3dc -Pipe 37c -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1120
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 3d8 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1080
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 368 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:1644
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3b0 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                                PID:1556
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3d4 -Comment "NGen Worker Process"
                                                                                                                                                2⤵
                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                PID:2572
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3c4 -Comment "NGen Worker Process"
                                                                                                                                                2⤵
                                                                                                                                                  PID:2112
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 3dc -Pipe 3ec -Comment "NGen Worker Process"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2260
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3f8 -Pipe 40c -Comment "NGen Worker Process"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2232
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3cc -NGENProcess 408 -Pipe 368 -Comment "NGen Worker Process"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2032
                                                                                                                                                    • C:\Windows\ehome\ehRecvr.exe
                                                                                                                                                      C:\Windows\ehome\ehRecvr.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1928
                                                                                                                                                    • C:\Windows\ehome\ehsched.exe
                                                                                                                                                      C:\Windows\ehome\ehsched.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2160
                                                                                                                                                    • C:\Windows\eHome\EhTray.exe
                                                                                                                                                      "C:\Windows\eHome\EhTray.exe" /nav:-2
                                                                                                                                                      1⤵
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                      PID:2960
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2256
                                                                                                                                                    • C:\Windows\system32\IEEtwCollector.exe
                                                                                                                                                      C:\Windows\system32\IEEtwCollector.exe /V
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1064
                                                                                                                                                    • C:\Windows\ehome\ehRec.exe
                                                                                                                                                      C:\Windows\ehome\ehRec.exe -Embedding
                                                                                                                                                      1⤵
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:1484
                                                                                                                                                    • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
                                                                                                                                                      "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:1548
                                                                                                                                                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                      PID:2060
                                                                                                                                                    • C:\Windows\System32\msdtc.exe
                                                                                                                                                      C:\Windows\System32\msdtc.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      PID:2732
                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:2940
                                                                                                                                                    • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                                                                                                                                      "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2604
                                                                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                                                                                                                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:564
                                                                                                                                                    • C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                      C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2392
                                                                                                                                                    • C:\Windows\system32\locator.exe
                                                                                                                                                      C:\Windows\system32\locator.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2016
                                                                                                                                                    • C:\Windows\System32\snmptrap.exe
                                                                                                                                                      C:\Windows\System32\snmptrap.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1808
                                                                                                                                                    • C:\Windows\System32\vds.exe
                                                                                                                                                      C:\Windows\System32\vds.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1780
                                                                                                                                                    • C:\Windows\system32\vssvc.exe
                                                                                                                                                      C:\Windows\system32\vssvc.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:2208
                                                                                                                                                    • C:\Windows\system32\wbengine.exe
                                                                                                                                                      "C:\Windows\system32\wbengine.exe"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:568
                                                                                                                                                    • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                      C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2616
                                                                                                                                                    • C:\Program Files\Windows Media Player\wmpnetwk.exe
                                                                                                                                                      "C:\Program Files\Windows Media Player\wmpnetwk.exe"
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:2020
                                                                                                                                                    • C:\Windows\system32\SearchIndexer.exe
                                                                                                                                                      C:\Windows\system32\SearchIndexer.exe /Embedding
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:1648
                                                                                                                                                      • C:\Windows\system32\SearchProtocolHost.exe
                                                                                                                                                        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
                                                                                                                                                        2⤵
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:2764
                                                                                                                                                      • C:\Windows\system32\SearchFilterHost.exe
                                                                                                                                                        "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
                                                                                                                                                        2⤵
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        PID:1680
                                                                                                                                                      • C:\Windows\system32\SearchProtocolHost.exe
                                                                                                                                                        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                                                                                                                                        2⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:2800
                                                                                                                                                    • C:\Windows\system32\dllhost.exe
                                                                                                                                                      C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
                                                                                                                                                      1⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      PID:2884

                                                                                                                                                    Network

                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                    Replay Monitor

                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                    Downloads

                                                                                                                                                    • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

                                                                                                                                                      Filesize

                                                                                                                                                      706KB

                                                                                                                                                      MD5

                                                                                                                                                      286676e032c5519858609c34b11d87ef

                                                                                                                                                      SHA1

                                                                                                                                                      0a05b985e693e83e43970c24ea2559886cfe73ac

                                                                                                                                                      SHA256

                                                                                                                                                      2690cf8e6acd596792a73048cbcd38432784ca6912b0ff27bdb39799e907b14c

                                                                                                                                                      SHA512

                                                                                                                                                      bd9fa0592796895bf091601e0ecffb2d28935a19978690cd2f52bb4fee3fe7d7e6deb866fc8ec8fd6c376b9aa5aff7f06d98b6e7ee01e4f7ab2e5a27595179bb

                                                                                                                                                    • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

                                                                                                                                                      Filesize

                                                                                                                                                      30.1MB

                                                                                                                                                      MD5

                                                                                                                                                      d5f3964ddd5666196f3a6df7d8ae5242

                                                                                                                                                      SHA1

                                                                                                                                                      6e6f4f5121024594c11e8d5d07c610b1da5988c8

                                                                                                                                                      SHA256

                                                                                                                                                      4f4cf66ab48b175cb43c3946ab9f08cd044c88234a7b4ba1e61783fdf4cd3a79

                                                                                                                                                      SHA512

                                                                                                                                                      6ea2967f932fdc22d4612a3045fd330bed1b8fa376a93085f97bb8e8c7a4d0e732e90df9a4b0ff931e747494e4a192ee4210632843cc118f1b878047a8ee5735

                                                                                                                                                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                      Filesize

                                                                                                                                                      781KB

                                                                                                                                                      MD5

                                                                                                                                                      65d37c181e008c6b915550923aa98201

                                                                                                                                                      SHA1

                                                                                                                                                      ebc267d0132b25bcdae0b8559104fa1b86a27646

                                                                                                                                                      SHA256

                                                                                                                                                      e2fe6e79c2a5a2b15e231c30155a8052611373d7ab4e654a0d317e123523f558

                                                                                                                                                      SHA512

                                                                                                                                                      e1290de6e146f573f170b59e8970a6a9624461115a0918498d892e2aadeb8e4915aa8b88fe56a7de6d191f6c1f3fbfae106ada18855e214e13c49b8d144b34b6

                                                                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                                                                                                      Filesize

                                                                                                                                                      5.2MB

                                                                                                                                                      MD5

                                                                                                                                                      a11d643bff6e1f5a0e246c1b8d45e637

                                                                                                                                                      SHA1

                                                                                                                                                      8aea2d1007e56d2ad3fd8f6f1ac495cdf3b401eb

                                                                                                                                                      SHA256

                                                                                                                                                      9fc60f7dbdfca87fc0a646f50aa708d9a31b96bd4958aa6088e428ff308e5f8b

                                                                                                                                                      SHA512

                                                                                                                                                      e3da1a5ef40fc0916af8e9df4f683f72a26a30446c1616ff33891b8e495daaa709691ab751e764fc9755c09b7f607fe1d827245f9d66764463755f85d94dbbce

                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                      MD5

                                                                                                                                                      1de71b84a367ce424ded458a306f1df9

                                                                                                                                                      SHA1

                                                                                                                                                      39b6d9a8497b462a2249e5e92d28545375ec4d3d

                                                                                                                                                      SHA256

                                                                                                                                                      7484d82bd91e5c6e8956fa9a3bb4704ce644bb93f53f4cee5b25829d07596056

                                                                                                                                                      SHA512

                                                                                                                                                      6552075140f3c1724b1089f15d4ac2b66446cfa637c1cabe61181db8ccff76aab52fd6da7d93f011d8281d808f1d011ca8c629f7892a0f898459332be191b3c3

                                                                                                                                                    • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                      MD5

                                                                                                                                                      40f54b0d04039c6b8087c3021f8c77ad

                                                                                                                                                      SHA1

                                                                                                                                                      8a69dea92211bb7d004476d8a790bcaa6e1cb2c0

                                                                                                                                                      SHA256

                                                                                                                                                      375f8515188038cfe0c3f5682def5f4342bf8885b6915ac31d1f028d7617921c

                                                                                                                                                      SHA512

                                                                                                                                                      3200d5e0a3113c03ea4d954f66e20d57744ce474cad541243804795310d27d756004e79e1f56fca1b313d8db352baea91acf91173d9de3e0c8849d2adc9b4ee2

                                                                                                                                                    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

                                                                                                                                                      Filesize

                                                                                                                                                      1024KB

                                                                                                                                                      MD5

                                                                                                                                                      e4e8bd22f7cb41cb482ed6d096f5454a

                                                                                                                                                      SHA1

                                                                                                                                                      fd9e9fbb155380f3cebd918891f934e7e2b9939f

                                                                                                                                                      SHA256

                                                                                                                                                      4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

                                                                                                                                                      SHA512

                                                                                                                                                      a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

                                                                                                                                                      Filesize

                                                                                                                                                      24B

                                                                                                                                                      MD5

                                                                                                                                                      b9bd716de6739e51c620f2086f9c31e4

                                                                                                                                                      SHA1

                                                                                                                                                      9733d94607a3cba277e567af584510edd9febf62

                                                                                                                                                      SHA256

                                                                                                                                                      7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

                                                                                                                                                      SHA512

                                                                                                                                                      cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

                                                                                                                                                      Filesize

                                                                                                                                                      648KB

                                                                                                                                                      MD5

                                                                                                                                                      06d7ef22b3cd101349da624936fcd816

                                                                                                                                                      SHA1

                                                                                                                                                      000057de0092d0ca77a21ae7e7a5343693030c8c

                                                                                                                                                      SHA256

                                                                                                                                                      68f09a06a1ad6081582a0153fa4ffc887736a52d8d909f8929e0b29ec5af635e

                                                                                                                                                      SHA512

                                                                                                                                                      b06ea02686d3b902fd63f6624ac666efd6e2edbe0f4111e043ec849fc4136042c3caead95c35c78dc5be94d3e58645a3023a8d51e6fe6d504a8d9c0a1ace5eea

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

                                                                                                                                                      Filesize

                                                                                                                                                      872KB

                                                                                                                                                      MD5

                                                                                                                                                      799dfa18204925159b6aa4f2e483e8c7

                                                                                                                                                      SHA1

                                                                                                                                                      4448788f4b4a4550033f30e9f255a2ed7dd9d939

                                                                                                                                                      SHA256

                                                                                                                                                      356461af976cdfa7ca0edd71d1af67ebfb6a470a17a044dd5e3b0f9a321d3cd1

                                                                                                                                                      SHA512

                                                                                                                                                      5b8f062d6a38e5ed8e17813b8ec6dcdb2adb7f9bb962c3a812f59ee52e92cbf00724376b11f1676269464cf4d12b715252dd877692d962a5cf8d8057a53bb12e

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

                                                                                                                                                      Filesize

                                                                                                                                                      603KB

                                                                                                                                                      MD5

                                                                                                                                                      3d6252cf89042a0ffbd0f597b6300975

                                                                                                                                                      SHA1

                                                                                                                                                      e70db98f49eca11751cbc009e2641806d7c8a432

                                                                                                                                                      SHA256

                                                                                                                                                      e7cbcb8da1ce3cecf18c9cfd6686e52b90b5d2b3a9924beb1c8223cc46c7b676

                                                                                                                                                      SHA512

                                                                                                                                                      b02778db084624acd351c79f9dcbc799a61d7e68756cb839380367c9cabc439c293fcdd300ff494e3105cf876d085b0a0ab2d3ebf93d6de3e1b8e71f6e93415a

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

                                                                                                                                                      Filesize

                                                                                                                                                      678KB

                                                                                                                                                      MD5

                                                                                                                                                      a2cc578a3c2c81fbefdbf5511536becc

                                                                                                                                                      SHA1

                                                                                                                                                      bcaa14a282eaf959e3303eb55f4d790f4dd102ab

                                                                                                                                                      SHA256

                                                                                                                                                      cdfb2b7c3cc722c7991ed15c95c3ea3cdc077d88fa92b23b688f00dfbbeb53bb

                                                                                                                                                      SHA512

                                                                                                                                                      c1fa8e645e83d3d6caca82a3368288d9973648a534e487cb210128471e625ba938a920f8d5cbdc9fc8dd78a67e339841f353638b6e70577fae09dc3797193fc3

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

                                                                                                                                                      Filesize

                                                                                                                                                      8KB

                                                                                                                                                      MD5

                                                                                                                                                      86c10c4d957d32998ca4f46f916950e9

                                                                                                                                                      SHA1

                                                                                                                                                      7a2af44de3136e2a803bf1c99d9099ae0548ddfa

                                                                                                                                                      SHA256

                                                                                                                                                      51a269cd06e974c2bb933ba66c67c14ec72072bcc6031b9bdeb0b92a30757484

                                                                                                                                                      SHA512

                                                                                                                                                      c43b8ff16904df320bc12141551986c4d869d0c8a2487b79387874ab70c1b2c72651518ca17a2da86a75a3e559e3084d9b9b6e7f29296c1a089321cea4ae6d4e

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

                                                                                                                                                      Filesize

                                                                                                                                                      625KB

                                                                                                                                                      MD5

                                                                                                                                                      ca391aa42f000e20b3f6825a5c10daac

                                                                                                                                                      SHA1

                                                                                                                                                      40dcdea477312ce3e9e0ca0854e3363a8dc80207

                                                                                                                                                      SHA256

                                                                                                                                                      f028bad894a5a70f9af2bebd17ce18e2e6129ed4b2c55fa2af66d0c64f591e23

                                                                                                                                                      SHA512

                                                                                                                                                      ec66f91401ce83c33525ae59b77314abce281bf3a38a4ed91bba30813782673f3a8b825402759060db1358fde91d551d1ef2370d3a790d277d41bfe0d4207cdf

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

                                                                                                                                                      Filesize

                                                                                                                                                      1003KB

                                                                                                                                                      MD5

                                                                                                                                                      23b871113e8da67c2bafebf36cdfa44b

                                                                                                                                                      SHA1

                                                                                                                                                      c05105c8a6b6dc85c9318c4f33373b7646bb546e

                                                                                                                                                      SHA256

                                                                                                                                                      add230fcfe3ad3bc44cd405457214fbc2d564abeeaf86ed8571c2a16d5995cf9

                                                                                                                                                      SHA512

                                                                                                                                                      570923dc789d2e6d2bbed01d9eef596c5ae4713413c2ccbe2f8f264c2e2b6067fb57086fa74497218f36980f40eaece2a759484a464f6af74541afc0bfe57e7d

                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

                                                                                                                                                      Filesize

                                                                                                                                                      656KB

                                                                                                                                                      MD5

                                                                                                                                                      f0d70d6f93c98e1105e2c3d798648376

                                                                                                                                                      SHA1

                                                                                                                                                      500eaee0a40c08e13d25f2a6bfb342c33e57c510

                                                                                                                                                      SHA256

                                                                                                                                                      6434393bada79a890dd23c9065b8529d2c2f9cb05b814d52241535c149047c7c

                                                                                                                                                      SHA512

                                                                                                                                                      b2c79a9cd8116b88d51389948ee4102c6b0a99f68078c57bb06796bee98f92e3bf4e4039a2211e2158fb2ef2d0ea26538216a25579c3641a481cfd705fad78de

                                                                                                                                                    • C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                      Filesize

                                                                                                                                                      587KB

                                                                                                                                                      MD5

                                                                                                                                                      55d5c152fe77d12dcf413b8ea906a309

                                                                                                                                                      SHA1

                                                                                                                                                      0054bf10c9f29b7e97f0cb72580984cf402291e5

                                                                                                                                                      SHA256

                                                                                                                                                      2e47b70d94664f6575698bb96dd657827dc4580a2efa1d30b9c20b5dfd402ff7

                                                                                                                                                      SHA512

                                                                                                                                                      5902558528639066d52c41bb51f3e1b763627af2c1a44d9896bf4d64e1d5913c9eadc0851273cda42096a87ad369f4d4dd615883507161dd8afbaf03442a93e7

                                                                                                                                                    • C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                      MD5

                                                                                                                                                      97806594c1fccd635e45a08909f5f9ca

                                                                                                                                                      SHA1

                                                                                                                                                      f8d72ca68817c511107bbddaa96efaa0f0c32eb9

                                                                                                                                                      SHA256

                                                                                                                                                      6f3a99a860c931c3532092279ee3a2e744b5c7649a19f3b2913d02247b05f386

                                                                                                                                                      SHA512

                                                                                                                                                      6ffc204ddcdb63f0bda5815b349f78131c6fe4b9606a63ab1644ade5c4d647fe9747aab5ea21840b9141f61667e45787b0465bd6f336fbd76a673b048fc28ea4

                                                                                                                                                    • C:\Windows\System32\VSSVC.exe

                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                      MD5

                                                                                                                                                      63f54f9191a4c90029e0f44409764976

                                                                                                                                                      SHA1

                                                                                                                                                      d526eb8165d6a8a8fd5da6b3d3591bc9e4135318

                                                                                                                                                      SHA256

                                                                                                                                                      32e87d271cdb0a86744a8e0ad4d51a9c6ab4550b863ead406d0e140d55a9025c

                                                                                                                                                      SHA512

                                                                                                                                                      bf430980e22971df24b4404da5a507455cfde48d8cb6be2635220b3cd83ca8c45a5b4ce2c65b5d99408093f858d7514813bcd27203fd8b974d9f65c04bca4693

                                                                                                                                                    • C:\Windows\System32\alg.exe

                                                                                                                                                      Filesize

                                                                                                                                                      644KB

                                                                                                                                                      MD5

                                                                                                                                                      d3d80e66072215632cf18eab60e24cab

                                                                                                                                                      SHA1

                                                                                                                                                      06034b69aa730e4bdba5e178ec1a8e72caab6707

                                                                                                                                                      SHA256

                                                                                                                                                      862e44b4d43577a4b1dfb988a5f1664b3cba91b928e7ff2e04384a613c3b03aa

                                                                                                                                                      SHA512

                                                                                                                                                      303683145b5350a5500aab6728cdf859380450146d8c1b11ffe5459d5edee39d9b0053da4201284e8647743e56a81d557499266841682edebf3050dfd4ed61a8

                                                                                                                                                    • C:\Windows\System32\ieetwcollector.exe

                                                                                                                                                      Filesize

                                                                                                                                                      674KB

                                                                                                                                                      MD5

                                                                                                                                                      48eaff6ee10533463682cbf5e7ce8a3c

                                                                                                                                                      SHA1

                                                                                                                                                      09c66e9deae5060bc0695210f7772564b74cbb59

                                                                                                                                                      SHA256

                                                                                                                                                      22537585e8b33b64d31fd67989fcc0efd2f927d0654adad2d3951ea050bdc231

                                                                                                                                                      SHA512

                                                                                                                                                      99c6d337cb2d38b111ad354530ab80b371ef0e395851d1ac1e1ab8467e843265ce3a86a19fd33706ef9d7427b80887be0309d02497451e7568fb0bfcea0b8647

                                                                                                                                                    • C:\Windows\System32\msdtc.exe

                                                                                                                                                      Filesize

                                                                                                                                                      705KB

                                                                                                                                                      MD5

                                                                                                                                                      6b9c50e5e2dda5ad725bc0f0b8179674

                                                                                                                                                      SHA1

                                                                                                                                                      8f3c1e40eb1e4c7824cdbfff151e73abe875a125

                                                                                                                                                      SHA256

                                                                                                                                                      8aec8a280e19f746df45011c2ff3c1997358c5515bb6f1938c427111f3df25cc

                                                                                                                                                      SHA512

                                                                                                                                                      038d8bb7d70cc139145f3454d39aa54d286b091413e1f9f893b2fd7a54c276ddc0ad794cf6bb416bcfa623f2e4e6f1a32b9faa819be5c658f7f1e616b48e2c09

                                                                                                                                                    • C:\Windows\System32\snmptrap.exe

                                                                                                                                                      Filesize

                                                                                                                                                      581KB

                                                                                                                                                      MD5

                                                                                                                                                      3aabf5e3885546f19b34f8e634435b5b

                                                                                                                                                      SHA1

                                                                                                                                                      6e255ddbdf828bf2202929fe8051ec10d4a0536d

                                                                                                                                                      SHA256

                                                                                                                                                      293cb4b5a5ee66a87b315f34e7cfb769925be3107e1438caf832f710335b5d51

                                                                                                                                                      SHA512

                                                                                                                                                      a3c493fb7fea13888362bf82012433debe9c69f121d40cdb994fd4a82d9113655c5fddfb7b8d9cf89e5d3dac0843ed341b09def4e2a18e112d9b33682e06fb95

                                                                                                                                                    • C:\Windows\System32\vds.exe

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                      MD5

                                                                                                                                                      10d3ee1fd6f40f9f26cb4f8695fbab8b

                                                                                                                                                      SHA1

                                                                                                                                                      6d39f061429ddd4289f9f1bc2c16775b7c409b44

                                                                                                                                                      SHA256

                                                                                                                                                      96d239df30e7cabde4ad449646b624a341420dbcd6bbcf39aa81663bc247da84

                                                                                                                                                      SHA512

                                                                                                                                                      f68ad1f2bb8da5b05ef1e8b98a82a77575537463a3343fe0fc64d105acb9db693d5c6b12d0befd11b1cce28b704f86d7bd992d6b216590b6b078d7cdd13a3f98

                                                                                                                                                    • C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                      Filesize

                                                                                                                                                      765KB

                                                                                                                                                      MD5

                                                                                                                                                      f7e3de5e622479a4e9edaa0d77a6af35

                                                                                                                                                      SHA1

                                                                                                                                                      688de96fa058b8dcf9451b7bba2ad2a09adfbdb4

                                                                                                                                                      SHA256

                                                                                                                                                      139625b307c920074f7139122d8fafcbffdff2a76920e89884390cc209f55dd5

                                                                                                                                                      SHA512

                                                                                                                                                      459982a75b492700c47e3a8dc7a9cf5b327d8073dfddf47a767faa6198e37379605832388847f9b1c47f01facf441b004a03c721c170066dc2d9cfc65e5223f5

                                                                                                                                                    • C:\Windows\Temp\CabAF81.tmp

                                                                                                                                                      Filesize

                                                                                                                                                      29KB

                                                                                                                                                      MD5

                                                                                                                                                      d59a6b36c5a94916241a3ead50222b6f

                                                                                                                                                      SHA1

                                                                                                                                                      e274e9486d318c383bc4b9812844ba56f0cff3c6

                                                                                                                                                      SHA256

                                                                                                                                                      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                                                                                                                                                      SHA512

                                                                                                                                                      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                                                                                                                                                    • C:\Windows\Temp\TarB0AB.tmp

                                                                                                                                                      Filesize

                                                                                                                                                      81KB

                                                                                                                                                      MD5

                                                                                                                                                      b13f51572f55a2d31ed9f266d581e9ea

                                                                                                                                                      SHA1

                                                                                                                                                      7eef3111b878e159e520f34410ad87adecf0ca92

                                                                                                                                                      SHA256

                                                                                                                                                      725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                                                                                                                                                      SHA512

                                                                                                                                                      f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      105KB

                                                                                                                                                      MD5

                                                                                                                                                      d9c0055c0c93a681947027f5282d5dcd

                                                                                                                                                      SHA1

                                                                                                                                                      9bd104f4d6bd68d09ae2a55b1ffc30673850780f

                                                                                                                                                      SHA256

                                                                                                                                                      dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

                                                                                                                                                      SHA512

                                                                                                                                                      5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                      MD5

                                                                                                                                                      7835e60e560a49049ae728698da3d301

                                                                                                                                                      SHA1

                                                                                                                                                      87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

                                                                                                                                                      SHA256

                                                                                                                                                      df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

                                                                                                                                                      SHA512

                                                                                                                                                      b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      238KB

                                                                                                                                                      MD5

                                                                                                                                                      0a4ed78b7995d94fa42379f84cd5f8e9

                                                                                                                                                      SHA1

                                                                                                                                                      90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

                                                                                                                                                      SHA256

                                                                                                                                                      0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

                                                                                                                                                      SHA512

                                                                                                                                                      86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      248KB

                                                                                                                                                      MD5

                                                                                                                                                      4bbf44ea6ee52d7af8e58ea9c0caa120

                                                                                                                                                      SHA1

                                                                                                                                                      f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

                                                                                                                                                      SHA256

                                                                                                                                                      c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

                                                                                                                                                      SHA512

                                                                                                                                                      c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      1.8MB

                                                                                                                                                      MD5

                                                                                                                                                      9958f23efa2a86f8195f11054f94189a

                                                                                                                                                      SHA1

                                                                                                                                                      78ec93b44569ea7ebce452765568da5c73511931

                                                                                                                                                      SHA256

                                                                                                                                                      3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

                                                                                                                                                      SHA512

                                                                                                                                                      3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      1.0MB

                                                                                                                                                      MD5

                                                                                                                                                      598a06ea8f1611a24f86bc0bef0f547e

                                                                                                                                                      SHA1

                                                                                                                                                      5a4401a54aa6cd5d8fd883702467879fb5823e37

                                                                                                                                                      SHA256

                                                                                                                                                      e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

                                                                                                                                                      SHA512

                                                                                                                                                      774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      58KB

                                                                                                                                                      MD5

                                                                                                                                                      3d6987fc36386537669f2450761cdd9d

                                                                                                                                                      SHA1

                                                                                                                                                      7a35de593dce75d1cb6a50c68c96f200a93eb0c9

                                                                                                                                                      SHA256

                                                                                                                                                      34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

                                                                                                                                                      SHA512

                                                                                                                                                      1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      205KB

                                                                                                                                                      MD5

                                                                                                                                                      0a41e63195a60814fe770be368b4992f

                                                                                                                                                      SHA1

                                                                                                                                                      d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

                                                                                                                                                      SHA256

                                                                                                                                                      4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

                                                                                                                                                      SHA512

                                                                                                                                                      1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      43KB

                                                                                                                                                      MD5

                                                                                                                                                      68c51bcdc03e97a119431061273f045a

                                                                                                                                                      SHA1

                                                                                                                                                      6ecba97b7be73bf465adf3aa1d6798fedcc1e435

                                                                                                                                                      SHA256

                                                                                                                                                      4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

                                                                                                                                                      SHA512

                                                                                                                                                      d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      198KB

                                                                                                                                                      MD5

                                                                                                                                                      9d9305a1998234e5a8f7047e1d8c0efe

                                                                                                                                                      SHA1

                                                                                                                                                      ba7e589d4943cd4fc9f26c55e83c77559e7337a8

                                                                                                                                                      SHA256

                                                                                                                                                      469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

                                                                                                                                                      SHA512

                                                                                                                                                      58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      70KB

                                                                                                                                                      MD5

                                                                                                                                                      57b601497b76f8cd4f0486d8c8bf918e

                                                                                                                                                      SHA1

                                                                                                                                                      da797c446d4ca5a328f6322219f14efe90a5be54

                                                                                                                                                      SHA256

                                                                                                                                                      1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

                                                                                                                                                      SHA512

                                                                                                                                                      1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      87KB

                                                                                                                                                      MD5

                                                                                                                                                      ed5c3f3402e320a8b4c6a33245a687d1

                                                                                                                                                      SHA1

                                                                                                                                                      4da11c966616583a817e98f7ee6fce6cde381dae

                                                                                                                                                      SHA256

                                                                                                                                                      b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

                                                                                                                                                      SHA512

                                                                                                                                                      d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\93f1160b7dd5fb5e2302d0d40a779a93\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      305KB

                                                                                                                                                      MD5

                                                                                                                                                      73686c9e1615cb7940a1e891fe42a0e8

                                                                                                                                                      SHA1

                                                                                                                                                      b67c449d9c279a493239e1abb13f659f6799e5b5

                                                                                                                                                      SHA256

                                                                                                                                                      0d5d1d66a121ac9d75a17b2f440e93d1239636acebefe04fb3880f8537f256d0

                                                                                                                                                      SHA512

                                                                                                                                                      c8bc0847ebad8fbee93a19ab3eed2488d00731c8f6607b062d5b10143265b75596f93ebe71d1ebde52d6c7485ead966de18d3bdbe38e0b24f9241195ee25d5d9

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      82KB

                                                                                                                                                      MD5

                                                                                                                                                      2eeeff61d87428ae7a2e651822adfdc4

                                                                                                                                                      SHA1

                                                                                                                                                      66f3811045a785626e6e1ea7bab7e42262f4c4c1

                                                                                                                                                      SHA256

                                                                                                                                                      37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

                                                                                                                                                      SHA512

                                                                                                                                                      cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      58KB

                                                                                                                                                      MD5

                                                                                                                                                      a8b651d9ae89d5e790ab8357edebbffe

                                                                                                                                                      SHA1

                                                                                                                                                      500cff2ba14e4c86c25c045a51aec8aa6e62d796

                                                                                                                                                      SHA256

                                                                                                                                                      1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

                                                                                                                                                      SHA512

                                                                                                                                                      b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aed73bfbba16cde52a8eb5deb16afb71\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      271KB

                                                                                                                                                      MD5

                                                                                                                                                      3d86be1fd7212105a0c4db9538c7665f

                                                                                                                                                      SHA1

                                                                                                                                                      fddf4cc86473e089ecdefc6f5d099ee978338380

                                                                                                                                                      SHA256

                                                                                                                                                      30e695790a97df1d6e37537fc14d20d88946818b4726322eecdcaf5b01cd4367

                                                                                                                                                      SHA512

                                                                                                                                                      25240d6cf2b8e4ec198f536fdaf17f335b6dc5a3df482a0878ab53ff87f93b319f5dc50dfe908264bbe8ece1a3f4a3027a84dbdf3c1f3e0011a141e1049ffa50

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      85KB

                                                                                                                                                      MD5

                                                                                                                                                      5180107f98e16bdca63e67e7e3169d22

                                                                                                                                                      SHA1

                                                                                                                                                      dd2e82756dcda2f5a82125c4d743b4349955068d

                                                                                                                                                      SHA256

                                                                                                                                                      d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

                                                                                                                                                      SHA512

                                                                                                                                                      27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      298KB

                                                                                                                                                      MD5

                                                                                                                                                      5fd34a21f44ccbeda1bf502aa162a96a

                                                                                                                                                      SHA1

                                                                                                                                                      1f3b1286c01dea47be5e65cb72956a2355e1ae5e

                                                                                                                                                      SHA256

                                                                                                                                                      5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

                                                                                                                                                      SHA512

                                                                                                                                                      58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f44bca87becb36a598662d6423dee1ca\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      122KB

                                                                                                                                                      MD5

                                                                                                                                                      4c007cdd363e007fc45d6f59506199ab

                                                                                                                                                      SHA1

                                                                                                                                                      cb14f1f1138045fbd8aa2c108a064a8382d74a0f

                                                                                                                                                      SHA256

                                                                                                                                                      97b8118d4e2289e82ac5c15c8d51d6bc1fd938207537a3d3c237c8fce4331e26

                                                                                                                                                      SHA512

                                                                                                                                                      91148efda5466cefeae0a9f989bdc5a9e2656092832dec32aed46d544379252492cd301d699c5912b89cde0f05549bc82db70cd08cf462bda3e6d17b65d1495a

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f849cafdd4a46b1ee69469febecb5601\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      221KB

                                                                                                                                                      MD5

                                                                                                                                                      63ab61c41cc3a7c75adfb345c1e8354e

                                                                                                                                                      SHA1

                                                                                                                                                      4e48eed60df1ece915d45b2d0d443c6c28089b08

                                                                                                                                                      SHA256

                                                                                                                                                      eb3208f5384cb1105ade7e6339321ece488f3b2082e2d50d33f46ff93a22bad9

                                                                                                                                                      SHA512

                                                                                                                                                      76628357623c764f2f175bf3fd4f035b0ca765ecaddd1bc96d99f8f24b9e92cf3261706416247c5f538b37db936b4374dbfea48485e4c75995ef9e9a4e38c08d

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      43KB

                                                                                                                                                      MD5

                                                                                                                                                      dd1dfa421035fdfb6fd96d301a8c3d96

                                                                                                                                                      SHA1

                                                                                                                                                      d535030ad8d53d57f45bc14c7c7b69efd929efb3

                                                                                                                                                      SHA256

                                                                                                                                                      f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

                                                                                                                                                      SHA512

                                                                                                                                                      8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      124KB

                                                                                                                                                      MD5

                                                                                                                                                      929653b5b019b4555b25d55e6bf9987b

                                                                                                                                                      SHA1

                                                                                                                                                      993844805819ee445ff8136ee38c1aee70de3180

                                                                                                                                                      SHA256

                                                                                                                                                      2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

                                                                                                                                                      SHA512

                                                                                                                                                      effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                      MD5

                                                                                                                                                      10b5a285eafccdd35390bb49861657e7

                                                                                                                                                      SHA1

                                                                                                                                                      62c05a4380e68418463529298058f3d2de19660d

                                                                                                                                                      SHA256

                                                                                                                                                      5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

                                                                                                                                                      SHA512

                                                                                                                                                      19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

                                                                                                                                                    • C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

                                                                                                                                                      Filesize

                                                                                                                                                      88KB

                                                                                                                                                      MD5

                                                                                                                                                      1f394b5ca6924de6d9dbfb0e90ea50ef

                                                                                                                                                      SHA1

                                                                                                                                                      4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

                                                                                                                                                      SHA256

                                                                                                                                                      9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

                                                                                                                                                      SHA512

                                                                                                                                                      e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

                                                                                                                                                    • C:\Windows\ehome\ehrecvr.exe

                                                                                                                                                      Filesize

                                                                                                                                                      1.2MB

                                                                                                                                                      MD5

                                                                                                                                                      1d074d1e0a2f77963af469d21924b0fe

                                                                                                                                                      SHA1

                                                                                                                                                      cf7a9e715ff6b40e6d5cbd1785b9570fc8ec6874

                                                                                                                                                      SHA256

                                                                                                                                                      598f87e3b74578cd0fb28df3a7a3456cf3967ccce27b2edb13d69130deba9e8a

                                                                                                                                                      SHA512

                                                                                                                                                      77ac758a9b33f0e6fb9f14b9323d0d55458aee003b27fcb169f81e23b8b852ac90086260a15849c9cc504eca0d982f19a8a332f6354c99e6509917f760a7ea25

                                                                                                                                                    • C:\Windows\ehome\ehsched.exe

                                                                                                                                                      Filesize

                                                                                                                                                      691KB

                                                                                                                                                      MD5

                                                                                                                                                      ca933faa03074b3e831be53a333bd670

                                                                                                                                                      SHA1

                                                                                                                                                      4c97281f1ed555e0fcb67260e7cabe53999b7815

                                                                                                                                                      SHA256

                                                                                                                                                      91c706236ac4f9706100dee26d526f7d38760609be255fc90c4910e6e0e96c4e

                                                                                                                                                      SHA512

                                                                                                                                                      8f16f84d516461b67715e636a4e74f09b85d48926d65e006b72f9997147dbb66bcc1dcf5e3bf5921f355f5cbc97a54e9964000362371cea64b2a17aaec2243ff

                                                                                                                                                    • \Windows\System32\Locator.exe

                                                                                                                                                      Filesize

                                                                                                                                                      577KB

                                                                                                                                                      MD5

                                                                                                                                                      b17fa156377e5b3a51a1d56ed903a7ff

                                                                                                                                                      SHA1

                                                                                                                                                      761a55051aafbe5925d1550b81f9cbc2db642700

                                                                                                                                                      SHA256

                                                                                                                                                      0c0af1a7e4516a75af22aebd761d539bd610d1dcf0b70b79fee4651b07a1a11a

                                                                                                                                                      SHA512

                                                                                                                                                      1b4c36507ceb56788eb91b2562fcb466bb1154b4128e27e6107d376d7b368953b77577f2318285fae45c061f9e34d379caf4ea09147b05e82121c980ac0f1da1

                                                                                                                                                    • \Windows\System32\msiexec.exe

                                                                                                                                                      Filesize

                                                                                                                                                      691KB

                                                                                                                                                      MD5

                                                                                                                                                      56c7514236d4a8743510ec395d53938a

                                                                                                                                                      SHA1

                                                                                                                                                      80c97284abc82fc02f33e4e81eb2ef22d77491e3

                                                                                                                                                      SHA256

                                                                                                                                                      2d80b03986f82ec44c62b9de136c17afc33782635c43a519dad3f868902820ce

                                                                                                                                                      SHA512

                                                                                                                                                      c2c92960943ba8dcc74229313fed0856737dd7f511b7babaac1efb04a3bc70b9726a0c77204f0408f03248d4f05b535aee3ef4048de8d47a1dcc5c8f9780484e

                                                                                                                                                    • \Windows\System32\wbengine.exe

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                      MD5

                                                                                                                                                      92681580a2264b3adadac456ccbf4ef5

                                                                                                                                                      SHA1

                                                                                                                                                      2e8818e0be57519fde01f6d4b764ae151f5fc04d

                                                                                                                                                      SHA256

                                                                                                                                                      f00447fa38355018aecdaddd5f446b65ca3984dd2bc3b1580214f6a71255b6a4

                                                                                                                                                      SHA512

                                                                                                                                                      8353e71a3c1092fada8feb6b99561befb66291239f66424e33480614dfc23e454c5eef2fc5b08bc1f856e740a0bebf3504ad0ef01c5e397f4ebab20ebec75640

                                                                                                                                                    • memory/528-759-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/528-760-0x0000000003C30000-0x0000000003CEA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      744KB

                                                                                                                                                    • memory/528-772-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/564-235-0x0000000100000000-0x0000000100542000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                    • memory/564-373-0x0000000100000000-0x0000000100542000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                    • memory/568-322-0x0000000100000000-0x0000000100202000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/568-609-0x0000000100000000-0x0000000100202000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/812-660-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/812-555-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/812-580-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/812-656-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/904-517-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/904-559-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/980-817-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/980-842-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1064-273-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/1064-155-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/1160-674-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1160-699-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1164-607-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1164-576-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1208-802-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1208-808-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1216-783-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1216-770-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1320-76-0x0000000000570000-0x00000000005D7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/1320-206-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1320-70-0x0000000000570000-0x00000000005D7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/1320-69-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1408-696-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1408-714-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1548-287-0x000000002E000000-0x000000002FE1E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      30.1MB

                                                                                                                                                    • memory/1548-175-0x000000002E000000-0x000000002FE1E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      30.1MB

                                                                                                                                                    • memory/1580-496-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1580-520-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1612-492-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1612-444-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1648-374-0x0000000100000000-0x0000000100123000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                    • memory/1648-673-0x0000000100000000-0x0000000100123000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                    • memory/1676-736-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1676-751-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1688-641-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1688-657-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/1752-334-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/1752-387-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/1780-516-0x0000000100000000-0x0000000100114000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                    • memory/1780-297-0x0000000100000000-0x0000000100114000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.1MB

                                                                                                                                                    • memory/1808-294-0x0000000100000000-0x0000000100096000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      600KB

                                                                                                                                                    • memory/1928-113-0x0000000000850000-0x00000000008B0000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/1928-115-0x0000000140000000-0x000000014013C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.2MB

                                                                                                                                                    • memory/1928-107-0x0000000000850000-0x00000000008B0000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/1928-232-0x0000000140000000-0x000000014013C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.2MB

                                                                                                                                                    • memory/1944-345-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/1944-298-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/2016-494-0x0000000100000000-0x0000000100095000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      596KB

                                                                                                                                                    • memory/2016-259-0x0000000100000000-0x0000000100095000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      596KB

                                                                                                                                                    • memory/2020-655-0x0000000100000000-0x000000010020A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/2020-369-0x0000000100000000-0x000000010020A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/2060-194-0x0000000140000000-0x00000001400CA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      808KB

                                                                                                                                                    • memory/2060-178-0x0000000140000000-0x00000001400CA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      808KB

                                                                                                                                                    • memory/2112-610-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2112-629-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2124-729-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2124-747-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2160-238-0x0000000140000000-0x00000001400B2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2160-120-0x0000000140000000-0x00000001400B2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2160-839-0x0000000140000000-0x00000001400B2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2200-89-0x00000000001F0000-0x0000000000250000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2200-95-0x00000000001F0000-0x0000000000250000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2200-215-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/2200-88-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      696KB

                                                                                                                                                    • memory/2204-626-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2204-633-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2208-575-0x0000000100000000-0x0000000100219000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                    • memory/2208-309-0x0000000100000000-0x0000000100219000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                    • memory/2256-250-0x0000000140000000-0x0000000140237000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.2MB

                                                                                                                                                    • memory/2256-142-0x0000000140000000-0x0000000140237000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.2MB

                                                                                                                                                    • memory/2336-728-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2336-712-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2392-239-0x0000000001000000-0x0000000001096000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      600KB

                                                                                                                                                    • memory/2392-43-0x0000000000580000-0x00000000005E7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/2392-38-0x0000000000580000-0x00000000005E7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/2392-37-0x0000000010000000-0x000000001009F000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      636KB

                                                                                                                                                    • memory/2392-79-0x0000000010000000-0x000000001009F000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      636KB

                                                                                                                                                    • memory/2392-443-0x0000000001000000-0x0000000001096000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      600KB

                                                                                                                                                    • memory/2440-20-0x0000000100000000-0x00000001000A4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      656KB

                                                                                                                                                    • memory/2440-12-0x0000000000430000-0x0000000000490000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2440-21-0x0000000000430000-0x0000000000490000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2440-119-0x0000000100000000-0x00000001000A4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      656KB

                                                                                                                                                    • memory/2604-223-0x000000002E000000-0x000000002E0B5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      724KB

                                                                                                                                                    • memory/2604-368-0x000000002E000000-0x000000002E0B5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      724KB

                                                                                                                                                    • memory/2616-640-0x0000000100000000-0x00000001000C4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      784KB

                                                                                                                                                    • memory/2616-348-0x0000000100000000-0x00000001000C4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      784KB

                                                                                                                                                    • memory/2620-154-0x0000000140000000-0x000000014009D000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      628KB

                                                                                                                                                    • memory/2620-26-0x0000000140000000-0x000000014009D000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      628KB

                                                                                                                                                    • memory/2620-33-0x00000000008E0000-0x0000000000940000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2620-27-0x00000000008E0000-0x0000000000940000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2732-190-0x0000000140000000-0x00000001400B6000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      728KB

                                                                                                                                                    • memory/2732-313-0x0000000140000000-0x00000001400B6000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      728KB

                                                                                                                                                    • memory/2812-0-0x0000000000310000-0x0000000000377000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/2812-5-0x0000000000310000-0x0000000000377000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      412KB

                                                                                                                                                    • memory/2812-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      27.0MB

                                                                                                                                                    • memory/2812-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      27.0MB

                                                                                                                                                    • memory/2940-333-0x0000000100000000-0x00000001000B2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2940-209-0x0000000000570000-0x0000000000622000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2940-198-0x0000000100000000-0x00000001000B2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                    • memory/2944-67-0x0000000010000000-0x00000000100A7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      668KB

                                                                                                                                                    • memory/2944-53-0x00000000007B0000-0x0000000000810000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB

                                                                                                                                                    • memory/2944-784-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2944-803-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      672KB

                                                                                                                                                    • memory/2944-59-0x00000000007B0000-0x0000000000810000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      384KB