6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881

Analysis

max time kernel
136s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
Size

1.8MB
MD5

9f7a6d8b430718b71b4b0ae96127fd64
SHA1

87bb754b6fce4bc12512ebe471de1dded709d1ad
SHA256

6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881
SHA512

cae2a3445bbefc51dccda4c0348d0700450b799b2f405f87598b3e06ac0438d89602ce49a8a4b8a061186ea1a4185ff7a075576a4c95262a867f760aaa8a1998
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAiaB0zj0yjoB2:ovbjVkjjCAzJIB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
460	Process not Found
848	alg.exe
2716	aspnet_state.exe
2916	mscorsvw.exe
2008	mscorsvw.exe
1960	mscorsvw.exe
2068	mscorsvw.exe
2464	ehRecvr.exe
1908	ehsched.exe
428	elevation_service.exe
3056	IEEtwCollector.exe
2928	maintenanceservice.exe
2488	OSE.EXE
2380	mscorsvw.exe
1944	mscorsvw.exe
2376	mscorsvw.exe
2776	mscorsvw.exe
2040	mscorsvw.exe
2740	mscorsvw.exe
828	mscorsvw.exe
2260	mscorsvw.exe
1680	mscorsvw.exe
1244	mscorsvw.exe
2096	mscorsvw.exe
2896	mscorsvw.exe
2756	mscorsvw.exe
2932	mscorsvw.exe
2044	mscorsvw.exe
1628	mscorsvw.exe
632	mscorsvw.exe
1848	mscorsvw.exe
1600	mscorsvw.exe
2852	mscorsvw.exe
1144	mscorsvw.exe
976	mscorsvw.exe
2712	mscorsvw.exe
2640	mscorsvw.exe
2756	mscorsvw.exe
2020	msdtc.exe
3040	msiexec.exe
2652	perfhost.exe
2864	locator.exe
1016	snmptrap.exe
2416	vds.exe
1828	vssvc.exe
2640	WmiApSrv.exe
2884	mscorsvw.exe
2352	mscorsvw.exe
2800	mscorsvw.exe
1228	mscorsvw.exe
692	mscorsvw.exe
2032	mscorsvw.exe
752	mscorsvw.exe
2836	mscorsvw.exe
2700	mscorsvw.exe
2956	mscorsvw.exe
2916	mscorsvw.exe
2276	mscorsvw.exe
1368	mscorsvw.exe
768	mscorsvw.exe
2368	mscorsvw.exe
2320	mscorsvw.exe
2884	mscorsvw.exe
916	mscorsvw.exe

Loads dropped DLL 47 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
3040	msiexec.exe
460	Process not Found
460	Process not Found
460	Process not Found
692	mscorsvw.exe
692	mscorsvw.exe
752	mscorsvw.exe
752	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
2368	mscorsvw.exe
2368	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
3052	mscorsvw.exe
3052	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2900	mscorsvw.exe
2900	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
1564	mscorsvw.exe
1564	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
2648	mscorsvw.exe
2648	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76536ead264f17b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\psmachine.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_pt-BR.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_ru.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_sv.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_es-419.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\GoogleCrashHandler.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_en.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_ta.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_ca.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48B4.tmp\goopdateres_el.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DDD.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF7B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD14.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE55.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP83B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030aef1a1d6dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030eacfa5d6dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2564	ehRec.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2152	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: 33	1964	EhTray.exe
Token: SeIncBasePriorityPrivilege	1964	EhTray.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeDebugPrivilege	2564	ehRec.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: 33	1964	EhTray.exe
Token: SeIncBasePriorityPrivilege	1964	EhTray.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeDebugPrivilege	848	alg.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2716	aspnet_state.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeDebugPrivilege	2716	aspnet_state.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeManageVolumePrivilege	2348	SearchIndexer.exe
Token: 33	2348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2348	SearchIndexer.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe
Token: SeShutdownPrivilege	1960	mscorsvw.exe
Token: SeShutdownPrivilege	2068	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1964	EhTray.exe
1964	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1964	EhTray.exe
1964	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2580	SearchProtocolHost.exe
2580	SearchProtocolHost.exe
2580	SearchProtocolHost.exe
2580	SearchProtocolHost.exe
2580	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe
2004	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2380	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 2380	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 2380	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 2380	1960	mscorsvw.exe	43
PID 1960 wrote to memory of 1944	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1944	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1944	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 1944	1960	mscorsvw.exe	44
PID 1960 wrote to memory of 2376	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 2376	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 2376	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 2376	1960	mscorsvw.exe	45
PID 1960 wrote to memory of 2776	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 2776	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 2776	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 2776	1960	mscorsvw.exe	46
PID 1960 wrote to memory of 2040	1960	mscorsvw.exe	47
PID 1960 wrote to memory of 2040	1960	mscorsvw.exe	47
PID 1960 wrote to memory of 2040	1960	mscorsvw.exe	47
PID 1960 wrote to memory of 2040	1960	mscorsvw.exe	47
PID 1960 wrote to memory of 2740	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 2740	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 2740	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 2740	1960	mscorsvw.exe	48
PID 1960 wrote to memory of 828	1960	mscorsvw.exe	49
PID 1960 wrote to memory of 828	1960	mscorsvw.exe	49
PID 1960 wrote to memory of 828	1960	mscorsvw.exe	49
PID 1960 wrote to memory of 828	1960	mscorsvw.exe	49
PID 1960 wrote to memory of 2260	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2260	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2260	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 2260	1960	mscorsvw.exe	50
PID 1960 wrote to memory of 1680	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 1680	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 1680	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 1680	1960	mscorsvw.exe	51
PID 1960 wrote to memory of 1244	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 1244	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 1244	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 1244	1960	mscorsvw.exe	52
PID 1960 wrote to memory of 2096	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 2096	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 2096	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 2096	1960	mscorsvw.exe	53
PID 1960 wrote to memory of 2896	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 2896	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 2896	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 2896	1960	mscorsvw.exe	54
PID 1960 wrote to memory of 2756	1960	mscorsvw.exe	67
PID 1960 wrote to memory of 2756	1960	mscorsvw.exe	67
PID 1960 wrote to memory of 2756	1960	mscorsvw.exe	67
PID 1960 wrote to memory of 2756	1960	mscorsvw.exe	67
PID 1960 wrote to memory of 2932	1960	mscorsvw.exe	56
PID 1960 wrote to memory of 2932	1960	mscorsvw.exe	56
PID 1960 wrote to memory of 2932	1960	mscorsvw.exe	56
PID 1960 wrote to memory of 2932	1960	mscorsvw.exe	56
PID 1960 wrote to memory of 2044	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 2044	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 2044	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 2044	1960	mscorsvw.exe	57
PID 1960 wrote to memory of 1628	1960	mscorsvw.exe	58
PID 1960 wrote to memory of 1628	1960	mscorsvw.exe	58
PID 1960 wrote to memory of 1628	1960	mscorsvw.exe	58
PID 1960 wrote to memory of 1628	1960	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
"C:\Users\Admin\AppData\Local\Temp\6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2916

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 248 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 264 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 298 -NGENProcess 26c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 250 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e8 -NGENProcess 270 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 26c -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d0 -NGENProcess 224 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 224 -NGENProcess 1e8 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 1e8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1e8 -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 2a0 -NGENProcess 1d0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1d0 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 248 -NGENProcess 28c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 28c -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 2a0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 2b0 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1d4 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2b4 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2b0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b0 -NGENProcess 1d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c8 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 298 -NGENProcess 278 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 298 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2c0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2c0 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c0 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d8 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 314 -NGENProcess 300 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 300 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 30c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 30c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 300 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 33c -NGENProcess 30c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 350 -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 360 -NGENProcess 30c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 344 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f0 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 30c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 344 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 344 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 384 -NGENProcess 30c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 30c -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 37c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 30c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 39c -NGENProcess 1b4 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 390 -NGENProcess 368 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 368 -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3ac -NGENProcess 1b4 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 1b4 -NGENProcess 390 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 3b4 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2756

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2464

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:3024
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
a1bf99365f2025d8171dd1823c0f63a4

SHA1
9f62906677e262f7d4f7c6f6567102797c677d76

SHA256
3966e81747e76c911dacdf792fcf62c08439fb9960792c3c6ac63b23e8dcc2d3

SHA512
5c3af18cac59ae379c41f474e71c18e4514e59ea377bd82f44ae0c443e1a642356dd6f1991ce7d75552a875873cb8582cfdff01676e33349ed70b25ac1abcca2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
fb95a2e66e8b92894cb77ff59280d7ed

SHA1
e987df4402ea7d2dce481fd65b1859d5959ac116

SHA256
1df14313e254d181eeef97559c682c1c6d5e159798ac5fbb024797bdca04ae5f

SHA512
ec8f15f0a6ff5eebaff762e5f3b9571349c0b04ebeae6e501bdd7afdd4d8e004cacd07cb5c118c39b2410cad2efb06835f34d3351465c41d1d5d8b01eaa08c6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
36ba38f884c42f5597cabc0556336c51

SHA1
f16e4ed5d6c6d3fd879145c048854144a99275f5

SHA256
76151636bffcabc93767ddbfe0bee47566ed6da905a2147a6cc5c5290f796553

SHA512
890901f0a888f1d375ba0ba5997487927f469f61e18f437e10664eb820930c2d1bd12ae41cb36a77a93dbf4511247fa8f3c0f25938317c31217a520dc0c7332f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
28babf778838795015693cfc719419e3

SHA1
640ceb8ec0bf9d44340e3bebb389bb56c11f7087

SHA256
fa7f6a304eb3df553bda6792920acbf5af211a8447c195ddbae23290809dd3a2

SHA512
05417bfacd4d6a719f7b495a37409b4b8c5bcea39e37ccc6e9ff4de31d4a8f2bbee4c70d17af689e52c21af3f1a0b4eaf87274a4be034231d78cc9c7a1ce3691

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
05c78c8d1d8ccb05f23f9ae6edf61ea1

SHA1
3eedd97b94911d5637e5cdb3933fb699a2d14a4c

SHA256
4806a78b45568ecfc6a4dc1c6b8a8aa668b4f26796393c9874dcb37bc5a404f9

SHA512
e82b6944f3cab080c4102344f0fa841ea2f30ed16148f5a23721892fed59645b0239c38ec365565d84757db6e8dfd9e7373771b91d12db33eb8cfa6e3368f1e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
ab1a6ec6efec7136b133accd6347f256

SHA1
ca56f38f5cb2aa27fcf0740f0fd8ca77af23db55

SHA256
59763b1c088902ebf3b4ee3150959b547d6e88e5eaa1445ffe434a684abf5dd7

SHA512
a72e2229f5264859c65be46bf32f9adbf7d58a4b87f60f486e8c0ce67fc205dd3f8aec0887c87998e5cc5fd89615a3c8878fc3d8e8c493a68f28df13c4ef3a97

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c715451c74fc4e810cc155da285e1931

SHA1
184925af7e4fe54af9f658e9540b6c6146ed0c90

SHA256
d99f061b4c0b91efe8ffe48f78e304a6bca09c9d87fe8467d7f8a128e7a3551d

SHA512
4ee18c6c69a13c3d2b4241b588d5c05828bc2077607c94b29823f4149e736b04490314c6f4f9efb99d03d0f511206dac7bb9d63728d6ae7ee9069e41307f05e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
5d294abd45d9fbdbfb2d33efa30dfb7c

SHA1
614b061904a868672de1010105e78576dcfc0f0c

SHA256
fa5f6184addb652e253e64c367ab1267d5eab2f91e31d91c6443172bb8fdaf4a

SHA512
6c7ca833bf6fbe81713d6892b0e185b55f3575ec6d2fc7a0c5475074f97278d1c72dfb760e8c92fd8893e0d4d0833fcd84435c827e41038912fbfd45773f4aa9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0db64c63dfbfcb7d96d1b1ad4f3bfa9b

SHA1
0d8f9e1801bc160bf13e98f5eca8bbfd8388898a

SHA256
98c0f795b63726f38acc092d35642f03964032e4041f9f9dd48a850eaead5b9f

SHA512
57ded14a5fcd20fb053603d9906b2992fb80c3bc55da7bd825050d752d62f3235cc58ce6110369ff2d8798990d06277fe56cab85ef5e9e695d29055af36aca92

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
3f63e3cce582a5588c0be51fc8749fdd

SHA1
60f091bb6b499ee7d0d4f8b69ad87b6afad3eac5

SHA256
175008624c980cecf90ae506ec1b560e332e924ccd67278934a0a0b9f784324b

SHA512
1c763579d1e715829630fd49c919d40d614a88e798055ed74f687f1f62732e1c1e203300bb1784366150b91e8169dbf815dac260855dddb5c100055397e97fc7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
31d57c03bab9e829a08d9a4404072a21

SHA1
82b00d3918c18899b875959f6fb1e7bc009b7302

SHA256
479b4aca636f8d2380fd254e98ace8abbaf33fdbb1004cbd6915b44044ae1be6

SHA512
726f62a5ba3de8bbea9a0b79efcd7767bbf8172eb6309bfbe97ab84e00267a45db0239f7efaaaff16c51f76a1b15f35a3f14aaddbb768048306ad4d5c030a860

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ab543b784a9aa906a9d3ab615c0857ce

SHA1
bc4a120e6155041740ecc0ef752987de8fd30b2e

SHA256
61fd7ed9096262e17d742fe6910b3ee9483e57a52c9782ad4d47aa66ab932152

SHA512
d5c3a6c3dbb03fc8eec5d7eb6cf89fb68bdf01aa5f801e0cc9dd67fd238080633e81a72fc206b73cba3cff2704cac58656768ad72ad468f915a4eb9d00a93f9b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\17913acb34062b0ba6877f61ec4a2b48\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ecb6d48424ad6ff4b7288ab3f0800245

SHA1
289b7fcca148457c377dcd861fbdfedf5f3dfe70

SHA256
18109d74ab5b8e442407943068d912a70d1ac56c98d5245a8fcf61f982c5f7e8

SHA512
1f461e258e811701bbfb9f786c023563de7f6a162118451460aea0ef0e86f0af6c7a083c4b35a9b41f32bbe34d00f35b85480eadbe5655780db3458d43dc89f7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b91c20259468cfe8b5dd3dd4f3858b0c\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
e20d0a4ccb2efacb71c44eddfeeea203

SHA1
1b74c5903a6c5487ab48b2b073b7861f9a1337f2

SHA256
952414690cc6f387388579c7e8b5a4826cbbf752078621d47c30c9a6d06d8d07

SHA512
e00b3db5a6883eb1e3939742fad90499593d23ffd7d1dc7501d3643fb4c1ba451be7f8d635715ff86c8209ed1405a8fc3e120817687aa8b1a337770a741f9ba1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e7c9e4c0be754d7381b94261c9952b18\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3442fbbe485950e93cdb861e27d9816e

SHA1
09e7e59e71b9563a6652614cfb3dafbfd1f1774a

SHA256
6a7d4dbe85226b0fb7463e80263996833869c017a3bf8652ebd4bc0931565f5d

SHA512
2228b7e61cc322d0dea9092c197faab6f337172dd70f36e6933e2c0dd1850a30245dbc86971e51550f4e9b4dc49b2995a42c311a1de9751ead5c00e5fa1d6b27

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
c717bf29e3184ccb943dc90caf9bf4ac

SHA1
3bfb150c53e9098f6e019f3033d9d19986f0c7b1

SHA256
a50bdf85609d0eeab1ab805f81f03d62b33f8dbe80c89be99c6450826fa9d81a

SHA512
b39e05fe7d046093626b74ea501a03bf8be49754cd1a6b887dff2ab4cee7426719508e9a3037a24bafba327e9a9379a8ca13b984d9bc43d371dfaa3028be555a

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
292d0ffe063e1e04e2796f0e4dbd7612

SHA1
c259337cbe58b035cfbebbe389ddc3f72a7c4845

SHA256
e0cf6bd05c89856466d853344090c3f4e246befaeb54095a3a48d956e611040f

SHA512
711cc5da1a7966ccdf182332e4d85edc19161837d7423cf929bfaa3e7c2ff3c4a241295ce133ac4cee15591d5321071ac55fb15b24a53dda865007282f972956

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
0514c8efe5624576b0aaa7fa44ad8e52

SHA1
d6894e01cff63667916713dfddd2d86ec65d789a

SHA256
5245dbbda8d7bb9c3379ae402f3b335d3989637e40a54d9e0107ec5e4f9158cd

SHA512
dea78778faf924d235c3a3c398b62508398ed792a7843d6c7513a42dc41b5e1c77f0113f8f97479161dd7471ec01eb270e31072732467d0f01e3f29a2d74435f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
25300d8ba99c1a6c050d26c3d15599d3

SHA1
37ce4f200bfeccde706f22de6c49d372c983e685

SHA256
613a3437538f972d7afd8f5b3d342bb8b5abec316c91ab9924b2e8c57ff2b260

SHA512
943e583c7fe12c8b9a002405a06faf3a0d8791fb80c49956fe81e7733ad2b7c214e3855fbc1de0e49f056361ef5fd0f1750d0feda5a5f3994a47328086e07e94

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
08c45830cf938420e4f48269b9f2da1c

SHA1
46e40f644d499777ff76e1c56e7d5d7c2ee04144

SHA256
a1f3c762487f084f20793db6518b22f123d60972a2913888248ababd2f528510

SHA512
33e02dd899c27e1e1df2b3971f92be8d2c632510ed6031e9526daf986a98d34dcfc65f3b432abee2d8f075a4bccb7e54b22e0cfe0aadc6706121033301e62f9a

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
182619d6eeafb328293ac96484137355

SHA1
be82757252f79b02123732982da6d6e873afed0b

SHA256
0c1925742658dd3babdca58e5041890a65c5be3fc668ae44fc943f78202a00cc

SHA512
e4eedebe8db74059bdb4bebc19d5725e3c000d99f5ed3942958efbaa7d36dae186b85a5c81c7ccba0b463e1002151c37a999d3141d795427c68797132d847ad4

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
ba70bf47d433fb4cc5bed449301d5c7d

SHA1
8d022acd9928d07caed6e390197bc1b8762b761d

SHA256
a7fe82c4c6f151a1887d2a3d0f1168dfd64072f397fa44cb95aa6111620b1c0f

SHA512
587d736179a9b4209980722a964e479190949093eb4d9c17e9e10fdc33114e67d3882f6f52eb8d006e73dcf8c8ab2a1dc527867b120605a72140f0fbbccfbc7e

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7d37479ab46acae38b7711886c5a8fca

SHA1
d078b5ad98ee504315a0652bcba8abdde0bf20c1

SHA256
ea228d9b885b5e5d717dc436642251442e33fc681fa2ab1c949feda97c1b8129

SHA512
d865f1d08b2609d176ca7ed6ab05be252808fd53c543781efc340000ba489c21a653749725fd60592f17294401517d4cf487f9c448010f83f0c3cbaf40fa2289

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3e1436061e2caf3720bfeb3457f1a47a

SHA1
e81c8f30100092d2f4532a9b2f4412e3611b3268

SHA256
d396dba376ca6ca8331f601f22177a0413154634ca5168403ad78300f0fa1eb6

SHA512
f0837626020423594ab3b70c4e6f477309faab94595217f46d53964b551e6d931669977170105f2b7519b573057d70a54f19c3f4546ffe45d65335d9ad0ee74e

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ed8289595c0ae5c7a7f8fa28bdd1e9bc

SHA1
e0888b9a3e0d172db22f8fe8d7e8b6f7f69cd498

SHA256
7dea9158d2512c99c6b9abb854a480b18e4eb52239e36526412bbe279759d393

SHA512
d27bcd2af0dd754cdd4cb1636c7b0aeb97ea6b964874250665292dbe251f9aaa9390461cd736092fea98bc396dd91c41e1ab6aa3cc6cc7007bd57065fbd8a0b5

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
9eeb0e2938d3c402c2700f013dd781b1

SHA1
00602007508a650defb10a2c7a61ee80bda90bd1

SHA256
a2cd5dcffc6748eb57a39372cf1b33d629cd102ecc59d166a1aa400f2f80f23a

SHA512
46a6a47396f036dff524b1b7a557163e77907fc9e52f18deb42fe291af6bd6684b78ed9afa721d100ea3469d90cf0180ded50861b062f234a9862e3dc4cfa2da

Download Submit
memory/428-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/428-489-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/632-713-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/632-681-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/828-530-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/828-542-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/848-179-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/848-14-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/848-13-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/848-20-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/848-21-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/976-761-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1016-860-0x0000000100000000-0x0000000100137000-memory.dmp

Filesize
1.2MB

Download
memory/1144-736-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1144-748-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1244-597-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1600-710-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1600-725-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1628-691-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1680-569-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1680-562-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1828-886-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1848-714-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1908-199-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1908-475-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1908-798-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1944-445-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1960-989-0x0000000001410000-0x000000000149C000-memory.dmp

Filesize
560KB

Download
memory/1960-995-0x0000000001410000-0x0000000001498000-memory.dmp

Filesize
544KB

Download
memory/1960-998-0x0000000000CA0000-0x0000000000CCA000-memory.dmp

Filesize
168KB

Download
memory/1960-990-0x0000000001410000-0x00000000014B4000-memory.dmp

Filesize
656KB

Download
memory/1960-991-0x0000000001F50000-0x00000000020EE000-memory.dmp

Filesize
1.6MB

Download
memory/1960-997-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1960-986-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1960-139-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1960-147-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1960-993-0x0000000001410000-0x00000000014FC000-memory.dmp

Filesize
944KB

Download
memory/1960-994-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/1960-144-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1960-988-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/1960-987-0x0000000000CA0000-0x0000000000CBE000-memory.dmp

Filesize
120KB

Download
memory/1960-996-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

Filesize
144KB

Download
memory/2008-122-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2008-123-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2008-131-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/2008-176-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2020-816-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2020-992-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2040-488-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2044-668-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2044-663-0x0000000003DE0000-0x0000000003E9A000-memory.dmp

Filesize
744KB

Download
memory/2068-163-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2068-156-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2068-438-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2068-157-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2096-600-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2096-608-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2152-304-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2152-145-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2152-2-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2152-8-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/2152-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2260-539-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2260-563-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2348-907-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2376-462-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2376-441-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2380-416-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2380-382-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2416-871-0x0000000100000000-0x00000001001B5000-memory.dmp

Filesize
1.7MB

Download
memory/2464-181-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2464-187-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2464-451-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2464-186-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2464-806-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2488-321-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2488-561-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2640-898-0x0000000100000000-0x0000000100165000-memory.dmp

Filesize
1.4MB

Download
memory/2640-768-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2640-790-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2652-838-0x0000000001000000-0x0000000001137000-memory.dmp

Filesize
1.2MB

Download
memory/2712-764-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2716-79-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2716-104-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2716-215-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2716-96-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2740-527-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-793-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2756-648-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-787-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2756-632-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2776-459-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2776-473-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2852-737-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2864-855-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/2896-624-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2916-167-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2916-115-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2916-108-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2916-107-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2928-319-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2928-314-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2932-660-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3040-830-0x0000000100000000-0x0000000100153000-memory.dmp

Filesize
1.3MB

Download
memory/3040-832-0x0000000000570000-0x00000000006C3000-memory.dmp

Filesize
1.3MB

Download
memory/3056-803-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3056-228-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3056-528-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download