4f3da9997e7c6353fd39f8ad2dfb9329478d7075633617e0c3cef2c72de2094f

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
Size

1.1MB
MD5

09dc41b509137010045d5f136b4a3482
SHA1

78304e9c49c9351ddf3385a1502a77616f2f77e6
SHA256

4f3da9997e7c6353fd39f8ad2dfb9329478d7075633617e0c3cef2c72de2094f
SHA512

56bfd55e92c166893ce995f377b51e979398846d7292cbbda5023a37da8672ec149e929248e0c1763f9c3f11c066c7dd949a5f79322ef4769a10d33c6d26fe81
SSDEEP

24576:zSi1SoCU5qJSr1eWPSCsP0MugC6eTRDscnTL5g4rTeP0j/Viwlx:jS7PLjeTRYcTFBcg/Viwl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2900	alg.exe
2500	aspnet_state.exe
2756	mscorsvw.exe
2368	mscorsvw.exe
1300	mscorsvw.exe
2564	mscorsvw.exe
1924	ehRecvr.exe
1984	ehsched.exe
2740	elevation_service.exe
2536	IEEtwCollector.exe
1632	GROOVE.EXE
1304	maintenanceservice.exe
2808	msdtc.exe
1752	msiexec.exe
1196	OSE.EXE
1312	OSPPSVC.EXE
2460	perfhost.exe
2432	locator.exe
1056	snmptrap.exe
2020	vds.exe
888	vssvc.exe
2016	wbengine.exe
308	WmiApSrv.exe
1968	dllhost.exe
1304	SearchIndexer.exe
548	mscorsvw.exe
2028	mscorsvw.exe
1656	mscorsvw.exe
2956	mscorsvw.exe
3040	mscorsvw.exe
1624	mscorsvw.exe
2496	mscorsvw.exe
2352	mscorsvw.exe
1656	mscorsvw.exe
2296	mscorsvw.exe
2824	mscorsvw.exe
2708	mscorsvw.exe
1656	mscorsvw.exe
3116	mscorsvw.exe
3224	mscorsvw.exe
3344	mscorsvw.exe
3464	mscorsvw.exe
3560	mscorsvw.exe
3668	mscorsvw.exe
3784	mscorsvw.exe
3876	mscorsvw.exe
3960	mscorsvw.exe
4060	mscorsvw.exe
3076	mscorsvw.exe
1656	mscorsvw.exe
1728	mscorsvw.exe
2228	mscorsvw.exe
2208	mscorsvw.exe
636	mscorsvw.exe
3436	mscorsvw.exe
3572	mscorsvw.exe
3620	mscorsvw.exe
2504	mscorsvw.exe
2984	mscorsvw.exe
3900	mscorsvw.exe
3920	mscorsvw.exe
1468	mscorsvw.exe
3964	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1752	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
3436	mscorsvw.exe
3436	mscorsvw.exe
3620	mscorsvw.exe
3620	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
3920	mscorsvw.exe
3920	mscorsvw.exe
3964	mscorsvw.exe
3964	mscorsvw.exe
832	mscorsvw.exe
832	mscorsvw.exe
1904	mscorsvw.exe
1904	mscorsvw.exe
3292	mscorsvw.exe
3292	mscorsvw.exe
3384	mscorsvw.exe
3384	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
3660	mscorsvw.exe
3660	mscorsvw.exe
3916	mscorsvw.exe
3916	mscorsvw.exe
4048	mscorsvw.exe
4048	mscorsvw.exe
1128	mscorsvw.exe
1128	mscorsvw.exe
3236	mscorsvw.exe
3236	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
3644	mscorsvw.exe
3644	mscorsvw.exe
1832	mscorsvw.exe
1832	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
1936	mscorsvw.exe
1936	mscorsvw.exe
3900	mscorsvw.exe
3900	mscorsvw.exe
2388	mscorsvw.exe
2388	mscorsvw.exe
3960	mscorsvw.exe
3960	mscorsvw.exe
328	mscorsvw.exe
328	mscorsvw.exe
1280	mscorsvw.exe
1280	mscorsvw.exe
2208	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5b1fd473ae4ef42b.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19D7.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91E3.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9FD8.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1786.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8F.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6393.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1724	ehRec.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe
2500	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2696	2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: 33	3012	EhTray.exe
Token: SeIncBasePriorityPrivilege	3012	EhTray.exe
Token: SeDebugPrivilege	1724	ehRec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: 33	3012	EhTray.exe
Token: SeIncBasePriorityPrivilege	3012	EhTray.exe
Token: SeBackupPrivilege	888	vssvc.exe
Token: SeRestorePrivilege	888	vssvc.exe
Token: SeAuditPrivilege	888	vssvc.exe
Token: SeBackupPrivilege	2016	wbengine.exe
Token: SeRestorePrivilege	2016	wbengine.exe
Token: SeSecurityPrivilege	2016	wbengine.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2500	aspnet_state.exe
Token: SeManageVolumePrivilege	1304	SearchIndexer.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: 33	1304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1304	SearchIndexer.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeDebugPrivilege	2500	aspnet_state.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeDebugPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe
Token: SeShutdownPrivilege	2564	mscorsvw.exe
Token: SeShutdownPrivilege	1300	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3012	EhTray.exe
3012	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3012	EhTray.exe
3012	EhTray.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
2448	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
3728	SearchProtocolHost.exe
2448	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2448	1304	SearchIndexer.exe	56
PID 1304 wrote to memory of 2448	1304	SearchIndexer.exe	56
PID 1304 wrote to memory of 2448	1304	SearchIndexer.exe	56
PID 1300 wrote to memory of 548	1300	mscorsvw.exe	57
PID 1300 wrote to memory of 548	1300	mscorsvw.exe	57
PID 1300 wrote to memory of 548	1300	mscorsvw.exe	57
PID 1300 wrote to memory of 548	1300	mscorsvw.exe	57
PID 1304 wrote to memory of 1916	1304	SearchIndexer.exe	58
PID 1304 wrote to memory of 1916	1304	SearchIndexer.exe	58
PID 1304 wrote to memory of 1916	1304	SearchIndexer.exe	58
PID 1300 wrote to memory of 2028	1300	mscorsvw.exe	59
PID 1300 wrote to memory of 2028	1300	mscorsvw.exe	59
PID 1300 wrote to memory of 2028	1300	mscorsvw.exe	59
PID 1300 wrote to memory of 2028	1300	mscorsvw.exe	59
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 2956	1300	mscorsvw.exe	61
PID 1300 wrote to memory of 2956	1300	mscorsvw.exe	61
PID 1300 wrote to memory of 2956	1300	mscorsvw.exe	61
PID 1300 wrote to memory of 2956	1300	mscorsvw.exe	61
PID 1300 wrote to memory of 3040	1300	mscorsvw.exe	62
PID 1300 wrote to memory of 3040	1300	mscorsvw.exe	62
PID 1300 wrote to memory of 3040	1300	mscorsvw.exe	62
PID 1300 wrote to memory of 3040	1300	mscorsvw.exe	62
PID 1300 wrote to memory of 1624	1300	mscorsvw.exe	63
PID 1300 wrote to memory of 1624	1300	mscorsvw.exe	63
PID 1300 wrote to memory of 1624	1300	mscorsvw.exe	63
PID 1300 wrote to memory of 1624	1300	mscorsvw.exe	63
PID 1300 wrote to memory of 2496	1300	mscorsvw.exe	64
PID 1300 wrote to memory of 2496	1300	mscorsvw.exe	64
PID 1300 wrote to memory of 2496	1300	mscorsvw.exe	64
PID 1300 wrote to memory of 2496	1300	mscorsvw.exe	64
PID 1300 wrote to memory of 2352	1300	mscorsvw.exe	65
PID 1300 wrote to memory of 2352	1300	mscorsvw.exe	65
PID 1300 wrote to memory of 2352	1300	mscorsvw.exe	65
PID 1300 wrote to memory of 2352	1300	mscorsvw.exe	65
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 2296	1300	mscorsvw.exe	67
PID 1300 wrote to memory of 2296	1300	mscorsvw.exe	67
PID 1300 wrote to memory of 2296	1300	mscorsvw.exe	67
PID 1300 wrote to memory of 2296	1300	mscorsvw.exe	67
PID 1300 wrote to memory of 2824	1300	mscorsvw.exe	68
PID 1300 wrote to memory of 2824	1300	mscorsvw.exe	68
PID 1300 wrote to memory of 2824	1300	mscorsvw.exe	68
PID 1300 wrote to memory of 2824	1300	mscorsvw.exe	68
PID 1300 wrote to memory of 2708	1300	mscorsvw.exe	69
PID 1300 wrote to memory of 2708	1300	mscorsvw.exe	69
PID 1300 wrote to memory of 2708	1300	mscorsvw.exe	69
PID 1300 wrote to memory of 2708	1300	mscorsvw.exe	69
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 1656	1300	mscorsvw.exe	83
PID 1300 wrote to memory of 3116	1300	mscorsvw.exe	71
PID 1300 wrote to memory of 3116	1300	mscorsvw.exe	71
PID 1300 wrote to memory of 3116	1300	mscorsvw.exe	71
PID 1300 wrote to memory of 3116	1300	mscorsvw.exe	71
PID 1300 wrote to memory of 3224	1300	mscorsvw.exe	72
PID 1300 wrote to memory of 3224	1300	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_09dc41b509137010045d5f136b4a3482_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 254 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d4 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 278 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 1d4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 1d4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 29c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1d0 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2c8 -NGENProcess 2a8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a8 -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f0 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2cc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2cc -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 308 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2bc -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 310 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 318 -NGENProcess 300 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:3192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 338 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 1d0 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 328 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 2d4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 348 -NGENProcess 1d0 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 1d0 -NGENProcess 33c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 350 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2e8 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 320 -NGENProcess 33c -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:3532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 35c -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:3352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 33c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 33c -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:3880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 368 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 374 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:3500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 2e8 -NGENProcess 350 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 384 -NGENProcess 370 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:3104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 350 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 3a0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 384 -NGENProcess 350 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 350 -NGENProcess 370 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 36c -NGENProcess 3a4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 384 -NGENProcess 3b0 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:3576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 374 -NGENProcess 3a4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3b4 -NGENProcess 36c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:3648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 36c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3b0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a4 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 36c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c0 -NGENProcess 36c -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b8 -NGENProcess 3d0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d0 -NGENProcess 3b8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3dc -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 370 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 36c -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e0 -NGENProcess 3f0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c0 -NGENProcess 36c -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3f4 -NGENProcess 3e8 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3c0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 370 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f8 -NGENProcess 40c -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3b8 -NGENProcess 3fc -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3fc -NGENProcess 408 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 414 -NGENProcess 40c -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3e8 -NGENProcess 410 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 410 -NGENProcess 3fc -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:3472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 420 -NGENProcess 40c -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:3512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3e0 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 424 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:3480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 3e8 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 42c -NGENProcess 43c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:3380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 408 -NGENProcess 40c -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 440 -NGENProcess 3e8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 43c -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:3652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 42c -NGENProcess 40c -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 408 -NGENProcess 448 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:3624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 438 -NGENProcess 428 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:3616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 454 -NGENProcess 40c -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 448 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 45c -NGENProcess 428 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 40c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 454 -NGENProcess 448 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:3504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 454 -NGENProcess 460 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 460 -NGENProcess 458 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 470 -NGENProcess 45c -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 45c -NGENProcess 454 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:3184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 43c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 22c -NGENProcess 454 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 458 -NGENProcess 45c -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:3172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 40c -NGENProcess 43c -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 454 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 454 -NGENProcess 458 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 474 -NGENProcess 43c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 43c -NGENProcess 408 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 408 -NGENProcess 454 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 47c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:3572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 47c -NGENProcess 22c -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:3624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 22c -NGENProcess 43c -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 458 -NGENProcess 490 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent d4 -NGENProcess 43c -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:3976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent d4 -InterruptEvent 494 -NGENProcess 40c -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 498 -NGENProcess 408 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 408 -NGENProcess d4 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent d4 -NGENProcess 408 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent d4 -InterruptEvent 408 -NGENProcess 40c -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 4a8 -NGENProcess 474 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 474 -NGENProcess 458 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 490 -NGENProcess 4a8 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 4b4 -NGENProcess 408 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 408 -NGENProcess 474 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 4bc -NGENProcess 4a8 -Pipe d4 -Comment "NGen Worker Process"
  2⤵
  PID:3440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 4b8 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:3248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 474 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:3812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 4a8 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4a8 -NGENProcess 4c0 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:3668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4d0 -NGENProcess 474 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:3520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4c8 -NGENProcess 4d8 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:3856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4d8 -NGENProcess 4cc -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 4d0 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4bc -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 4cc -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4d0 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1196

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:308

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3728

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
576KB

MD5
7dabd49139745126118d859758d42ce9

SHA1
7bce9f1df46f730c4e8c1fc6e35ffbbfad8f4e59

SHA256
2065d9b04dd0e33881d517ef605e8fcbb6238d6c43adf992ff8c89341a135178

SHA512
5ccf5c24f24657f5de0f67e32dbcbe71a7045df95f7599a58e069358c04aa6323a45d7b68f581ebeac234d41bd162ae2258abbfba6e422bb3d704918013f1ade

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
192KB

MD5
53115c3ebbf957288330e8e3a9d12bbb

SHA1
89637ead2301aba537c1fddc82ba99da41bc92ac

SHA256
e6dc5ca6b96c021a9be517110278dbc7e0e9a3dfb8ae3ff55e7f38f788ed5de0

SHA512
1fdb6de6bf06a00d9fb6da5c8283c26308a6c85a8c82a1827d62f2a529abbb904ac321b972a4b253022edf5504aaf7af6480fa2ef886c3315e9ee3c04cfa65ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
70a4250b9996491cf71b43f64ce2eb60

SHA1
6f2cf2e0a0c3b4a737f9a0da2b91ef1a5a4bd8bd

SHA256
0f1923ceedc646426ae7e8753d0621e69c7a46840029d30014dbabad82fdc87f

SHA512
ee52a47131a4035bcec7012cdf3e2dbaa789ee5b6ec9ed6d69fe71cd5440f5c394822e9e73ffc0aa996458b6b7303220a5136929a9e323a8540c23711e4b6db6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1024KB

MD5
4b06191ac64e210bd719a2f786f58d3e

SHA1
2f9f72531233915d33cabd4166aeb37c5178b30d

SHA256
59df76f64e171eae9ea4964b5b8096f61abc7c3fa4f4a03c91e01ee305d72703

SHA512
42a8fd6c23d8388bfe087c49fe40994e052583e5a72e713c025ae279f46f028a883e48f074dc38eca854751c8f09fcd34205dad952124a0bbaebc890c35688a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
448KB

MD5
48b5a2ee28cee330cd2338bf8c18f431

SHA1
b18498345546ced59701e47d9c66928bda33be8e

SHA256
bd4031b56295518f6c74f32da5f6c1bc214c755629b4202df06d1b3858710054

SHA512
76ef19e7a3df106b400843629f8fcfcde0e4fcb6bb75e1aee51472493afaa4fa86b47015b2fb2cd231092f6a405f46e3cae3b473b54c0e7648246f15d32ae7df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
512KB

MD5
11b0c77247261031222b8ae32c664644

SHA1
1216e56f382b8bf49854084cce9e478a9cb31dd7

SHA256
179a9b6b17e436cd5748f6229ff15232b0874e610ddd17fb72b95575024eeffa

SHA512
997cbb78dfe3cad30a0b1809f7272d2c2cba8e1c3bed25b2ca71e624f542aa5c4dcb92133babc36cefc32b6d6c54dca0d4c26a604c85102e74ad1919df684afe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
448KB

MD5
b1c94f10ad698f468e2bc124a8be2da7

SHA1
c951fca1b02a6bbb07bd5b576c029bf521cc66a3

SHA256
6e86b6da4893ae59c338c3a5d3903abf4ae465e98df51ce5bb777a8272dea17a

SHA512
eb2ddaff53c4f77440c418ebbe6bd3f62cc434837e5a01ba544a044d26045ce948ee26909b479dd6e5c1146e6e8df4edfc86e44231b56068cf67cb17bd301202

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
512KB

MD5
18475d6f4f5f850d309c2a39c9469849

SHA1
c9e8a6b0f1ef03dd855e7ad02cb3d7c0e81b9f5d

SHA256
22938200ffad8b7752e0e058f9d9437279be4259c478cf14b2fa6fd0ebc4df45

SHA512
056619598a0c96b6bc1ce82a4367f7cea37ecaca7353ef972683d5be5e3332aa7c56f666f29de17923fbd27bcbeb23e6533921dbcd4fc016424593c9fd937703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
c0aaf481060e1c1744e0d461a8139684

SHA1
385e9a1026e0b9664477c1e2d3b8bc433037cee6

SHA256
7c984b1f51eaca5b0597a60084103e39ed3009b7a540d6c8155b111e120bed7d

SHA512
43bc661ec2b1b443440c6c526348a340d30943eeb55372873347efc2f8405e34ffffba9776d3307642dec81308b857728f721dde30606e7e12f43ab72d0ccd6c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
704KB

MD5
6812e399782b0bd146e9b0bf2673cda0

SHA1
0e3fd070f0bccc91c5cd33f53432346f23ef3c95

SHA256
445a8852b7aa67a0ad6015fe2398e70280ff72a4b5827ae96570a15192ee9588

SHA512
2fbcb402728a347ae9e84eb423bf662ee03f357f067ee3e858192b0b86ded81d9bcc05b7134400bec2eb0e930aa496e7903e629d444af863f08877adf259cd2b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
d28e975ebbde49d488a03de9eb7d983b

SHA1
067f519eda508e913d8adc52a44d61333de920e8

SHA256
cb1a0240ff51b5f5fa635d556e00800375bc6b172234e036c0d8f02c764edbad

SHA512
93d2dc9a4885e4ead695988f26fe590d9e13a98f03c5fb0f9e696400a95a1ee3f010c9f159153e70b13e8b7aaa339bcef49a5815e8dba503cd59f9df638b3565

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
4dfd4d8273f07d6f611db8134241a58a

SHA1
01532162c8022885d4b4e9ffaf052e70aa50155a

SHA256
e924ddb2e94ae0396c64b7535d23bb50ce5e10f66f11f0a06e3be63721100839

SHA512
f566586164036219f0973b4db1d2735bbbc87bda0b7c8701e082b97daa2a18758050ebbbf9d01e18c465c22e2f13b46301cb5c856bcf83f23c6482a7a7a7af34

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
9d09a1c13d156c00c5cbbc3b8604c425

SHA1
34da671cb7ae991c00c61821ecc4751cb5d8637d

SHA256
8ed00be8a6d061533e67a9cb603361bbb5e362daacbd9d2822e6fa295672627d

SHA512
6ccb9d7c9d5cc2f834553539d0af4d986f42da29d4662970eaee35c30308c83eb65d3e2c982d5c54a7dd3d40eb99ea7cf3c6014556ff844f68a03ea55e672366

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
4de1c19317170f12d03b99f9c1558135

SHA1
9bd540cab9815b5e1a4379a46209220123e9c2c8

SHA256
6906e07eb2cb490f0f7433eaf9f98a1341650937c9fcdb2a5f781059a5429fc6

SHA512
1f16886e5a148e368eefb3902ee00d1fbf989a1d2b4727baedf93fd2867e537efbb9a1f3f1208186197b22de1bbce0c7e3dac6eb6dd79085b4e5eb0028eaab41

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.4MB

MD5
2f4a571af3a1772c11b70ba18a1fd488

SHA1
5cd12d1e79abb7f0d104434bb7abf06417621ce5

SHA256
2c1effa1d61932ea689ca54ea3d9bfffc165243cb4ddfe768d0e432a7b72d88d

SHA512
1d134b088ed5846bc06f5ab6ab0e913475f151c3504a2f8b74239302c48ca63679dcd27208aa996a148066ba43a79e3178cce63771887403121258872cdf46c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
448KB

MD5
199e480dfa79a5e4306cd12b11a64fca

SHA1
3db5d4bc62b94a2a5bf661145a10894040496f00

SHA256
193780e6cad9261a88ba2c3ef10e088b0c8c48fc7be7a256c149db0a96c77928

SHA512
85df37ab4e434b7090fcc1e62ba0c03c6fdd60faf0c20ddb0e4b11311966b3033480e52e670e3f8b21f56b24556ab4e729b8de88fd12297b5fb9278a3729fc02

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
448KB

MD5
0f7ac0aa8b29b419e66f6a2c8c9eb42c

SHA1
0a049f64ec52f2c48c18379f7afc914b979f5c63

SHA256
270bc175cf3789d3efc11d24451b5e3aea14d84ff0f14474e79ee8f66dff55d5

SHA512
aee0e88b2b2f0a1f80b8ee29d22e2ebfaf5f353e0ffed5a1f255fbd68c2cc67afada61fe0cfbfbd3fdf47605ab97a08ba3b11c5876fb700c67c184c62affe0f9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
704KB

MD5
ff47ecb61831590f5ff09cd1938ed452

SHA1
2a278891e5f59ef7564ac4e75959e576432cc0f3

SHA256
15c9f7a1f64b78081cb07b3aef37dd5ce7da37ecda8471b25e7a9c905bec6aac

SHA512
96dca37ad401d759172456cdaadbb6ef7ca5c99315fe1210acc86f863045f53b2dc72de5d18e4c26eddf95eb1eac11845c1944f78e20998dcaec1deee8375c13

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
d0bee6fe2a917a739f376b3295ef4505

SHA1
fe346028f67a09e3e9b03785324b8bcb7e7b2d21

SHA256
45355470d81d9bf436189d92e7dd3c77a6f40325eb849d6200daea984787990a

SHA512
c5d7c262e5b4f0a4d46a0ecdb68d5b26c94dd3dcf90e8d969a195a27cb8313654c7191ddbacaf26418c494797e8a908e002c967b55e327572793cdcb0c7be230

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
52b8d54b92031a8005c8689d020684bd

SHA1
a9f8d56ed58f376867cc5ff3714d2a17035c7592

SHA256
6954d72b6d8ec0c3b9ff63f35fafffdc3870ce836ce225d1e72ae96f4e80775c

SHA512
2a2bd4c84d16ae3197bd4da6f3aba726d76828265f22adda9ea1ba4392a0ce1cacd413ce5d4d64fde7f2fd7549ffaa3be518665021ec2464631cb2d37b53fb53

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
192KB

MD5
1aa0481afaf002d72f5b9c20475c8ff4

SHA1
ebd9f9a83608e4c1eeee1b9652af8c3b693736dd

SHA256
bd3b88a299bc622882e92c18c270daa3abc40c467209f87eda3957b49f23adad

SHA512
1eb8609d86de64d799bceea2fbe071f24bc11e968973b7a22f8841121ab437eb85a4394adc97e58b61160e83ec718bbf23e4b154d123ea1c4b9538d236cd135b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
512KB

MD5
c6ddd620a62b370d65fe891c2901fdb1

SHA1
724cf0148d3500955d2c92adafaf45b212e1f9ef

SHA256
e658d2cfed5d7c33f7e0b2e827e1494d7e93b68abcb649d01997eb03d627d863

SHA512
ed940707288d258e429b9c47d5023aad5cde1389086f4240b790814792e2d6d1bff39311dd8a971b439dd3d4a962baebab334572c1010c2963bfaf910ade1797

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
40901c87b9c8e7324776a096c1d36426

SHA1
2e2b60a40e5cc874f1b855a3209f67605ed734c1

SHA256
fdae2a6f873d044653a700af464160aa55393f7012e7971a1f2b814af6f388f5

SHA512
c4b41febb23c00ce534da7ce65463976688af31bd56c6312f48055ed26d93a9d2c68500ea417e80a052ebccc93de323db9d344b4593d81b2a3c1888aec17bfb9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
192KB

MD5
c3964fc4f55021a38e139b9c58b079fd

SHA1
b3154124aac1101974ec7ace081b5ae693fdcc07

SHA256
58f6b856b97e7d1a17f2392ab000479a5f33f4756a455e0e4e27a77902257542

SHA512
75dcc01b14d11c8a1c495249ba2e1f3a786cb93bd73df97b2ca5b8f9a1b93e1898479db29570afe4b719fc631fe6e056bdc2d0830014a50bfecdd195981dda5e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
448KB

MD5
f7639ac71f45a3f2760100354ce5de47

SHA1
af3bf6ec04c637244371caf01c29efc2e4463e3e

SHA256
f945bf6f84414c5bd5eca086c60ac27bec7199b147eae61943b92a7a924b5c52

SHA512
c610af66d9f867ebe1f955e05c4dd22a5f4f2a6958e9f263f384ebd8ad6cdd1bf5381654b5e1cdb1612422e8ba4db1234fca5ce96b5af4ed7d3468fdd43f73ad

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8d23fc71f00962a0d5af9d17605c4c32

SHA1
0e89f9dd0e768665b7314ee07fa7e13e753622f6

SHA256
4cbd3643daf54fc62c40959b19a4186970705bd91f62bb645940d0c1ed1bd0dc

SHA512
1fd66d6c14ed5f92f8d24459120d3eda9fc05f11924fc183d8a82a002bf776f673502d918a71d7a36eb41b373796678cbf73eaa48c4e8716751e0ada08cd506d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
704KB

MD5
2f2639194920678e8c3ecdccabd14557

SHA1
f8774bfe5839ac1057927b7c7e78d9a0674ed96d

SHA256
2a6e2289823e29e6dd3c748570e50a158c1312ebfab779d3cfbec65805eca0c5

SHA512
58679fee17e522cc7a53a0b07d5a7c593ae307c402e2e2c819d58a9d139c06d75157be140839311df998d2d90dbf5b15919647e71086cea3e79ae9d427111c92

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
582aecc12785760f5db4abce48b31e64

SHA1
50ed3630a71bde088dfeab69e6bc3b601a4c0361

SHA256
01475733e82e2501c4810712b88742bc57b6812b0810b163727cad4a4524092a

SHA512
1272a9ca1115d401f783280520e804ecfabe51bf3bed4cb2293a83196fab60cdc1a24d4339d73ed3401ceec4bcf1382cf8a5f3045e0de857ba712527b842e260

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
128KB

MD5
433dd350eaf3ed771f1a24597fc11f79

SHA1
1ade8ef25978190b1c6cb49c830e206f8e64712b

SHA256
2741bbb42df1b0da98919321ae24b8b6e13eb6be7af750432bb0b10052d121b0

SHA512
aba06e63f424a84beb5ae8e14f422cf71d8208c583444fab5624f541c14d8c5c8b6195a19a7aac9837aa367bc0491c1904d08b8e3d3940ebfc049234a7c7b09f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
192KB

MD5
7647c718ec7b35dfe5a1127cca47907e

SHA1
7b2de692fa2db1501fda4c7e4ba4009158ee8006

SHA256
2f57736df674cea0a541f2aae3afdef8b10c7d671cb31bb468e2c7f3f4ef4d2c

SHA512
3d92d389ffda994416c856c7f8998f6b361255eac2e2c11819275e315ffdefd905f5de7c59d646063cc3673dafe6274cae6da9ca989efb85df585a99927fabf7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
448KB

MD5
69632328861b3e6f2d77b57ec918551b

SHA1
b38c6713b8570e0d4759d957cd97d59b562ab05e

SHA256
880a45683505ac0b98365d3eb996dd66dc3276f069dbd9ca31c6e1ccddabede3

SHA512
abb2dcaa6dca23fa510465bc9d53eaba2cf59652709d954335611f47416042b076549d2dd195cea157c84527adfdc57748a92702e5ccb281a26eab856bff5e27

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
512KB

MD5
32fed975972089a0013e78702e76c316

SHA1
dea5541b44b16abd8c8ce8ce3950ab4ba7e6738f

SHA256
f2ab7bf97c0f04fec0e94e1be4bb778df243e921f51ee3a4ff4706878c3ffddb

SHA512
80a50cab1411279da9c45ece5214e82b32d6e7185f712291053a4959e2e6d99b577763518762f6068b30833dabc18306b9ec0f9a65c5af0c5e6c4e1c7215e4dc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
448KB

MD5
6b4437f35f590a9ffb67a36cd0097a0a

SHA1
81f748e59e96626902c3f6144ec849a3d44f4f03

SHA256
ee5713e0a6e9c9b103148661e59a9c0953e640d00b915556d46de1f483b6668a

SHA512
a72b898401c7ef8abba7d16596697e26582f9914eaa34ab292b62a27dec83938f8e0535e1e2ceefd3852c4d3deed6ee6ff9af8b70adf21ad870ba7f6b0bab48e

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
e023a6ad842a55186dc862a30b3c880f

SHA1
10da883bdfaf76f36ce52fca78f6c0fd88e87caa

SHA256
9ca9a0e23cb2895ef6a62b8c638384bbc4a3cc5ec0b66161092130d83892e3ca

SHA512
57c92ea352ffc4c122b799cc22b55bfe4fbdff430703d01ef0303c2b16232a63e8572f1c148fd4c538d7415bc68d0c28255af4dc0a6979c44441d7212bd72cf2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
128KB

MD5
f06aa919ad24b0325b48a19ecacf1216

SHA1
8ad12f5ce01ff7a609716638366121592e89181b

SHA256
9be221e27dc85eb3bc4dd2b34d871c233702dc0020e63b49fd70a78283ff288b

SHA512
66bed03017ab51bc941e2d67ead870abacb02cd43db00e7539e8e88fe970847ef5f9e69bf148260948c6c392f8a1f3abff4bd1a113a536233549eb869cc8fab7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5428d342c47e8e33a380318a515d766e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
31b5b803ca62f50eb529443f2834ea59

SHA1
ed038a7e6d2e33da27f490eb7b69da2a0f667b27

SHA256
bb14fa5794700732fb31e6c9cdb81971582485721b74282b302b0111cc7fc26a

SHA512
56da09f13106fd1427297587b5ef471159f48f46a5dca3b39d4bfb69a4157dc4981687ccc8deba29ce026dd24b16296c79a45149885cf518faa6a88d1821d734

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
157KB

MD5
7bdf8e0c9aa04b71a52dd964005f4363

SHA1
a87e809146d3c70093a189c37f0a96b8bd0ce525

SHA256
0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b

SHA512
4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6809cef962a7f8a8b8b8d224c6ff3fa8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
cf1332329957a67e3a7aabffe29cfecc

SHA1
06c913ff2eef56c8b372a707479f26c6d58a1a44

SHA256
4f2af689db56f9762a0ab957f950f5dc9256b8cd3198011e2d0d9988173f5851

SHA512
4898f9926e66088819fd696bb6e8f9f5b5be52f746a7dffb4248b0a5558d3c46cfb904bbf63d81f03f5766ca394a1d56b96a47b4d7f3138a658f1a332751fcd8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7470e0b054169dd3ea3c027ddb99fe6d\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ebf1a4c4f9f4465dd9314340874ece29

SHA1
1677cf45e59a605e0299c46fca8abb038b623aa3

SHA256
b2d40ca63850840c40860d081116bf52af5c7df09351b9363aa1129c3d345b58

SHA512
8c5b6657dae08f594702d67d494878feed6a591e8f875944a06f5d70ca8e686d8994735e12aaf34e696267df07b57d4169e1cdd1188c769fe7749918d9c5d37a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
607KB

MD5
e9ca062e4958cc25400c804029a5bf62

SHA1
1ed4374d0d0f568936fdebe17d9110481d6b3344

SHA256
a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0

SHA512
43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
192KB

MD5
5ed6b505c683c9b12057ce583adf1630

SHA1
c1fb10192a79c3b6b4bca13d0c38be7b41186a54

SHA256
263c517ef9e21b351d263f7ea26eb5520399b91cf23b000b165fb9555febcc2f

SHA512
3c11601a0d817a44dfff4cc67359ed2ba988523452cd9ebfabbe945af0d1edb6bd41c691a76e686efb9a1cf176fa78d0b3e762ddc8b98ab2137e5e170a0eb977

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
448KB

MD5
9c8418a8641ee33a09a712d7ddd88760

SHA1
8690fbabc5596c6b81c9604e81ffde6102402cee

SHA256
ca8aae8b1fcf42962e4192f25c24ec0d22ef3001a1ee78bdeac053e2f117dea0

SHA512
8252c02d068b172ca839d46d3aa8cae4395db99963c80df87dbce5d27dd53688d02bbb9be6715c660c6be622359c5a4fe6ceeccd6b1b6c5ef071f6e9e8cf0d88

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
87336384662ec92e8f2892719a23a368

SHA1
b66f73e9641d81a763d9b2d8ac8260a948ba7a75

SHA256
2ee9ec9b147ae16379ed3949019e0aa0885975673dfa0b4baf433132f36e55d0

SHA512
794942b63991dfd0e135f76e2b9e07a9f780713aadd065ba2ed7dbf1ab89507db96d8ef7b864c62e3a6cfcd0c6f6b1fe5e8898e5f6b6d16a6c14815ca6953718

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
576KB

MD5
6e4e92d02f8d5cbde519f04218b6b330

SHA1
dd7579882adf9bd576fa8f9ebe8452fa582e28a1

SHA256
8e3cf847bfc68ff8ea0720af5c7d05fd35f3684ace621d5d63400efde063f673

SHA512
36e2ce8e582b87153934812824b5f9e8a3072699886983d3151bac481a3dc23a0048e29771919a643870966ed26acea0404cb1708134ffe714dfe7ceb20867c5

Download Submit
\Windows\System32\Locator.exe

Filesize
512KB

MD5
aebaefd8327da215f170406dc8a17c9f

SHA1
f4cca9887a5f375c156aad8eb8d2e6716c005c59

SHA256
59d3e73cace84c2008d326a8a7554b614e884758320747be55d31abea7211441

SHA512
1203b256fa903bb7273d519f0b20befbc468915d6254b4f7b65e5e5181882177ebd5a8162bd0e5a15cdc1ce57be1eb1cd2c71302b4acc954143d9855ea5c61d0

Download Submit
\Windows\System32\dllhost.exe

Filesize
448KB

MD5
d751301d99662219a0eabf1ff5d43e2b

SHA1
9e1cff407e483c15aa8b333d36565bc7696522c3

SHA256
3d9637139108314f82bd5b22bfc64db935dda933300d1334d2e91a7ee283a4b0

SHA512
b8a3528df054c1b672f8e701e5bb413fde0b940c0649719a38113a737e3bf7ebe0eb89a29cc7578444dcfbc02242e4d0e71fa9f001f6ae2ad78e6a232056e67f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
448KB

MD5
bcde7e4fb8633ee5db795c58bd33f80d

SHA1
513d20a9c189fcfc365750f92a46c570e4f91236

SHA256
4025f5fd68ae33cba38edb269789005dfa23f9f17bac601c283790c9aa8ad971

SHA512
2d79826489c01a9718abf9a9314c0194df9a407bc0142a9221cafc453214922af9baf7e8d791eb87e7e96d9c72dc4fd09bb73adab6e41e08ce19023a8ffe9fa0

Download Submit
\Windows\System32\msdtc.exe

Filesize
576KB

MD5
004ad26cfce481dce22e824a478847e5

SHA1
3e4b867631d6d94b987208122a69d2c608a3939b

SHA256
f9cd79ae3458bc1e82107f20b4f7057e3059ce05d3cdad7eafa9d8931e68c4c7

SHA512
52d4a0e34c215a5de364575a7e7a967b6d82b3b1795cbbe94ca3d48a57adedfe17fbcfc56cb259b39c793bdd9783fb260533e75c71c6a86379670ed850e4b3f7

Download Submit
\Windows\System32\msiexec.exe

Filesize
448KB

MD5
64f6d3f4901f6dbc35e02f6474404c20

SHA1
dd3862a4ab9e91cf13524ed99dfffea6ce07543c

SHA256
d5aa50dd3e0a858470646ed869c145758fb0923c7a56e13a06411942a65d0916

SHA512
6d7ad07a427bc414b4614fb1810ab84f171b578d0d042eb76b447fbc00c4c5298ec2a23470621dd89ce8c94812d7e4978b98693fd188f642d716564499f4d6b3

Download Submit
\Windows\System32\msiexec.exe

Filesize
192KB

MD5
39bed93ff597b8bdcf215f30f97cf782

SHA1
4c07004c8c3090337e4706182bd278dc473c314c

SHA256
0705214da7550fa20342bc537813df77d1d711c741360b7f13b04ac77f65744b

SHA512
6674a84d6b1c412311a04582dbc14cf2c2bc2d77c473fbac5f852cfbe3845518326f82a4a859f60a21b9d02107a911df30d469a618cbca052e7d0c4299a427d4

Download Submit
\Windows\System32\snmptrap.exe

Filesize
512KB

MD5
d906d10254a3477746577a8737149c77

SHA1
3d839c005e280ca2c9697ea26006830815a669ac

SHA256
3a01b66f6cb3c6cc9863564a0346dde8c865d935d8c39e4b99c598a96a54ba25

SHA512
f32799f7898946c2eb1373992793e2c3ad5b6bcb3e47640e9d245879fea820b38378a1900a52bb0b74290f426bc3e9c35da1f705e34632b838d8ee6239afc7c1

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
384KB

MD5
ef24461aa4fba460b679eb4e92fba1a4

SHA1
2f18f0a72c7f88751b242ccfc618d1c259509778

SHA256
3c06f3101a440b627fa24ffe4a6df00acacf67bb01870a071dfbc82b1316f723

SHA512
61380222758b2eb8f10c2f827658b57a48c280126b3b5d936d43df778b2ef9f8b91649b885031682ef43bb11395c0e6b8342649f68e962146bcc2a27c0130056

Download Submit
\Windows\System32\wbengine.exe

Filesize
448KB

MD5
acb39f25d5e83c36920e3779bc5b10b4

SHA1
0fc3e0fe19020fce7b956019c9baf11a4b3b366d

SHA256
7ec15ef72d2df784cbe921d2d048cc636530e9a8a098fc9d184a4553b5c88506

SHA512
f37d8e005aebff469f37c31566dcf4e06a2ae2e2fd7efa0ade53d5cd25f58c099d11e3059f3dcc5a03b6c882ebf32b946a61778ec924721d3056c9dc5f9c6365

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e682042f330b237fe666c608ab5c8244

SHA1
41dbea7355271208f29f1ecfffb931a71cbbc763

SHA256
0db7f1cc39b8c688256da46a0411a8ee13e29f85d95892bb6031fc0c72f25824

SHA512
888df1821c72eac002bbb25fbb62b87f2f5e2d0c41d152c5b6e1838d2a9a5ca4430d550e31c6ae95c829e92c0c772762c99bad7e251a1bf6cc53fc4156f1feef

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
7a7f1de5b38c90e58e0d6f618a292d22

SHA1
382ebc29d837205bfde5fb132d90059dcd0348c7

SHA256
7d8a3e3f6a386ad085c529c93bc4b3147835aacc735b0e6ffa0a7fc1f67c3dce

SHA512
80e6f18abb46a3a02c8c9ea4833e9673fd185d683df06771308187722a950c52ed7962a551de43dbbab685bf694b713311880dd0bb63c4ba8fe1c75b4b3ca51c

Download Submit
memory/308-247-0x0000000100000000-0x00000001001AD000-memory.dmp

Filesize
1.7MB

Download
memory/308-554-0x0000000100000000-0x00000001001AD000-memory.dmp

Filesize
1.7MB

Download
memory/548-433-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/548-381-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/888-508-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/888-237-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1056-226-0x0000000100000000-0x000000010017F000-memory.dmp

Filesize
1.5MB

Download
memory/1056-476-0x0000000100000000-0x000000010017F000-memory.dmp

Filesize
1.5MB

Download
memory/1196-192-0x000000002E000000-0x000000002E19E000-memory.dmp

Filesize
1.6MB

Download
memory/1196-270-0x000000002E000000-0x000000002E19E000-memory.dmp

Filesize
1.6MB

Download
memory/1300-184-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1300-73-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1300-904-0x0000000001E50000-0x0000000001EDC000-memory.dmp

Filesize
560KB

Download
memory/1300-68-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1300-902-0x0000000001E50000-0x0000000001E6E000-memory.dmp

Filesize
120KB

Download
memory/1300-901-0x0000000001E50000-0x0000000001E5A000-memory.dmp

Filesize
40KB

Download
memory/1300-905-0x0000000001E50000-0x0000000001EF4000-memory.dmp

Filesize
656KB

Download
memory/1300-906-0x0000000001E50000-0x0000000001FEE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-67-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1300-903-0x0000000001E50000-0x0000000001E6A000-memory.dmp

Filesize
104KB

Download
memory/1304-592-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1304-271-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1304-171-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1304-240-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1312-205-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1312-379-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1624-511-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1624-522-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1632-232-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1632-166-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1656-637-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1656-577-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1656-450-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1656-655-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1656-591-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1752-179-0x0000000000550000-0x00000000006EB000-memory.dmp

Filesize
1.6MB

Download
memory/1752-176-0x0000000100000000-0x000000010019B000-memory.dmp

Filesize
1.6MB

Download
memory/1752-246-0x0000000000550000-0x00000000006EB000-memory.dmp

Filesize
1.6MB

Download
memory/1752-245-0x0000000100000000-0x000000010019B000-memory.dmp

Filesize
1.6MB

Download
memory/1924-107-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1924-889-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1924-214-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1924-120-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1924-109-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1924-101-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1968-264-0x0000000100000000-0x000000010017E000-memory.dmp

Filesize
1.5MB

Download
memory/1968-576-0x0000000100000000-0x000000010017E000-memory.dmp

Filesize
1.5MB

Download
memory/1984-810-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1984-124-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1984-220-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/2016-531-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2016-241-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2020-234-0x0000000100000000-0x00000001001FD000-memory.dmp

Filesize
2.0MB

Download
memory/2020-496-0x0000000100000000-0x00000001001FD000-memory.dmp

Filesize
2.0MB

Download
memory/2028-451-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2028-432-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2296-593-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2296-605-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2352-567-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2352-557-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2368-47-0x0000000010000000-0x0000000010190000-memory.dmp

Filesize
1.6MB

Download
memory/2368-54-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2368-48-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2368-83-0x0000000010000000-0x0000000010190000-memory.dmp

Filesize
1.6MB

Download
memory/2432-221-0x0000000100000000-0x000000010017E000-memory.dmp

Filesize
1.5MB

Download
memory/2432-447-0x0000000100000000-0x000000010017E000-memory.dmp

Filesize
1.5MB

Download
memory/2460-216-0x0000000001000000-0x000000000117F000-memory.dmp

Filesize
1.5MB

Download
memory/2460-428-0x0000000001000000-0x000000000117F000-memory.dmp

Filesize
1.5MB

Download
memory/2496-534-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2496-558-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2500-19-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2500-25-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2500-18-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2500-141-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2536-142-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2536-230-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2536-833-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2564-93-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2564-201-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2564-85-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2564-91-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/2696-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2696-251-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2696-113-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2696-252-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2696-0-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2696-9-0x0000000001D20000-0x0000000001D80000-memory.dmp

Filesize
384KB

Download
memory/2708-619-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2708-629-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2740-137-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2740-224-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2756-30-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2756-31-0x0000000000990000-0x00000000009F6000-memory.dmp

Filesize
408KB

Download
memory/2756-38-0x0000000000990000-0x00000000009F6000-memory.dmp

Filesize
408KB

Download
memory/2756-63-0x0000000010000000-0x0000000010188000-memory.dmp

Filesize
1.5MB

Download
memory/2808-235-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2808-167-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2824-618-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2824-602-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2900-128-0x0000000100000000-0x000000010018D000-memory.dmp

Filesize
1.6MB

Download
memory/2900-14-0x0000000100000000-0x000000010018D000-memory.dmp

Filesize
1.6MB

Download
memory/2956-484-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2956-488-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3040-512-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3040-497-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3116-661-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3116-656-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3224-673-0x0000000003CD0000-0x0000000003D8A000-memory.dmp

Filesize
744KB

Download
memory/3224-680-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download