8e6791002a1cbb9b00235319e71f68ab520185f48d2dc4ec4aa42de00801ff1a

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79c08fdcd271e1752204421917319f0N.exe
Size

1.3MB
MD5

c79c08fdcd271e1752204421917319f0
SHA1

4d14e99a1a5cccab6a68fbd0c5bbb3b0b3fefe6d
SHA256

8e6791002a1cbb9b00235319e71f68ab520185f48d2dc4ec4aa42de00801ff1a
SHA512

a9c2bc2cbcc607e5abfe99184035dd77635c5d5e71854ab1583b6846bf2c599d56392d86f0f7aa909f39ea52295446e8d02cd92e49f69f0d6c044fb01a5274b4
SSDEEP

24576:x9Rmlh8t0D+7y8G2G9yL0cMoThTR9PyuLzpQo:x9m+brLC2hTR9quLB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
1488	alg.exe
2888	aspnet_state.exe
1532	mscorsvw.exe
2860	mscorsvw.exe
3000	mscorsvw.exe
2492	mscorsvw.exe
808	ehRecvr.exe
1552	ehsched.exe
2760	elevation_service.exe
2300	IEEtwCollector.exe
352	GROOVE.EXE
1536	maintenanceservice.exe
944	msdtc.exe
1264	msiexec.exe
2276	OSE.EXE
2744	OSPPSVC.EXE
2544	perfhost.exe
2468	locator.exe
2488	mscorsvw.exe
2484	snmptrap.exe
1416	vds.exe
928	vssvc.exe
1732	mscorsvw.exe
2324	mscorsvw.exe
1680	wbengine.exe
2092	WmiApSrv.exe
2880	mscorsvw.exe
3020	wmpnetwk.exe
2632	mscorsvw.exe
2132	SearchIndexer.exe
840	mscorsvw.exe
2624	mscorsvw.exe
2572	mscorsvw.exe
1100	mscorsvw.exe
108	mscorsvw.exe
2472	mscorsvw.exe
1972	mscorsvw.exe
448	mscorsvw.exe
1788	mscorsvw.exe
1740	mscorsvw.exe
1628	mscorsvw.exe
1380	mscorsvw.exe
2948	mscorsvw.exe
1884	mscorsvw.exe
1844	mscorsvw.exe
1480	mscorsvw.exe
2196	mscorsvw.exe
2476	mscorsvw.exe
2924	mscorsvw.exe
1528	mscorsvw.exe
1564	mscorsvw.exe
2256	mscorsvw.exe
2060	mscorsvw.exe
2792	mscorsvw.exe
2720	mscorsvw.exe
2284	mscorsvw.exe
896	mscorsvw.exe
1768	mscorsvw.exe
900	mscorsvw.exe
1528	mscorsvw.exe
1204	mscorsvw.exe
2348	mscorsvw.exe
2532	mscorsvw.exe

Loads dropped DLL 56 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1264	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
760	Process not Found
2720	mscorsvw.exe
2720	mscorsvw.exe
896	mscorsvw.exe
896	mscorsvw.exe
900	mscorsvw.exe
900	mscorsvw.exe
1204	mscorsvw.exe
1204	mscorsvw.exe
2532	mscorsvw.exe
2532	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
1228	mscorsvw.exe
1228	mscorsvw.exe
1312	mscorsvw.exe
1312	mscorsvw.exe
912	mscorsvw.exe
912	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
1628	mscorsvw.exe
1628	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
2696	mscorsvw.exe
2696	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
948	mscorsvw.exe
948	mscorsvw.exe
1888	mscorsvw.exe
1888	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
1408	mscorsvw.exe
1408	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\msdtc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f046c5e2d03a5d9e.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c79c08fdcd271e1752204421917319f0N.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3FED.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP707F.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7629.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4192.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	c79c08fdcd271e1752204421917319f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3478.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c79c08fdcd271e1752204421917319f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2796	ehRec.exe
2888	aspnet_state.exe
2888	aspnet_state.exe
2888	aspnet_state.exe
2888	aspnet_state.exe
2888	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2232	c79c08fdcd271e1752204421917319f0N.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: 33	2684	EhTray.exe
Token: SeIncBasePriorityPrivilege	2684	EhTray.exe
Token: SeDebugPrivilege	2796	ehRec.exe
Token: SeRestorePrivilege	1264	msiexec.exe
Token: SeTakeOwnershipPrivilege	1264	msiexec.exe
Token: SeSecurityPrivilege	1264	msiexec.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: 33	2684	EhTray.exe
Token: SeIncBasePriorityPrivilege	2684	EhTray.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2888	aspnet_state.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeBackupPrivilege	1680	wbengine.exe
Token: SeRestorePrivilege	1680	wbengine.exe
Token: SeSecurityPrivilege	1680	wbengine.exe
Token: 33	3020	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	3020	wmpnetwk.exe
Token: SeManageVolumePrivilege	2132	SearchIndexer.exe
Token: 33	2132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2132	SearchIndexer.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeDebugPrivilege	2888	aspnet_state.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeDebugPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe
Token: SeShutdownPrivilege	2492	mscorsvw.exe
Token: SeShutdownPrivilege	3000	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2684	EhTray.exe
2684	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2684	EhTray.exe
2684	EhTray.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe
2556	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2488	3000	mscorsvw.exe	50
PID 3000 wrote to memory of 2488	3000	mscorsvw.exe	50
PID 3000 wrote to memory of 2488	3000	mscorsvw.exe	50
PID 3000 wrote to memory of 2488	3000	mscorsvw.exe	50
PID 3000 wrote to memory of 1732	3000	mscorsvw.exe	54
PID 3000 wrote to memory of 1732	3000	mscorsvw.exe	54
PID 3000 wrote to memory of 1732	3000	mscorsvw.exe	54
PID 3000 wrote to memory of 1732	3000	mscorsvw.exe	54
PID 3000 wrote to memory of 2324	3000	mscorsvw.exe	55
PID 3000 wrote to memory of 2324	3000	mscorsvw.exe	55
PID 3000 wrote to memory of 2324	3000	mscorsvw.exe	55
PID 3000 wrote to memory of 2324	3000	mscorsvw.exe	55
PID 3000 wrote to memory of 2880	3000	mscorsvw.exe	58
PID 3000 wrote to memory of 2880	3000	mscorsvw.exe	58
PID 3000 wrote to memory of 2880	3000	mscorsvw.exe	58
PID 3000 wrote to memory of 2880	3000	mscorsvw.exe	58
PID 3000 wrote to memory of 2632	3000	mscorsvw.exe	60
PID 3000 wrote to memory of 2632	3000	mscorsvw.exe	60
PID 3000 wrote to memory of 2632	3000	mscorsvw.exe	60
PID 3000 wrote to memory of 2632	3000	mscorsvw.exe	60
PID 3000 wrote to memory of 840	3000	mscorsvw.exe	62
PID 3000 wrote to memory of 840	3000	mscorsvw.exe	62
PID 3000 wrote to memory of 840	3000	mscorsvw.exe	62
PID 3000 wrote to memory of 840	3000	mscorsvw.exe	62
PID 3000 wrote to memory of 2624	3000	mscorsvw.exe	63
PID 3000 wrote to memory of 2624	3000	mscorsvw.exe	63
PID 3000 wrote to memory of 2624	3000	mscorsvw.exe	63
PID 3000 wrote to memory of 2624	3000	mscorsvw.exe	63
PID 3000 wrote to memory of 2572	3000	mscorsvw.exe	64
PID 3000 wrote to memory of 2572	3000	mscorsvw.exe	64
PID 3000 wrote to memory of 2572	3000	mscorsvw.exe	64
PID 3000 wrote to memory of 2572	3000	mscorsvw.exe	64
PID 2132 wrote to memory of 2556	2132	SearchIndexer.exe	65
PID 2132 wrote to memory of 2556	2132	SearchIndexer.exe	65
PID 2132 wrote to memory of 2556	2132	SearchIndexer.exe	65
PID 3000 wrote to memory of 1100	3000	mscorsvw.exe	66
PID 3000 wrote to memory of 1100	3000	mscorsvw.exe	66
PID 3000 wrote to memory of 1100	3000	mscorsvw.exe	66
PID 3000 wrote to memory of 1100	3000	mscorsvw.exe	66
PID 2132 wrote to memory of 1420	2132	SearchIndexer.exe	67
PID 2132 wrote to memory of 1420	2132	SearchIndexer.exe	67
PID 2132 wrote to memory of 1420	2132	SearchIndexer.exe	67
PID 3000 wrote to memory of 108	3000	mscorsvw.exe	68
PID 3000 wrote to memory of 108	3000	mscorsvw.exe	68
PID 3000 wrote to memory of 108	3000	mscorsvw.exe	68
PID 3000 wrote to memory of 108	3000	mscorsvw.exe	68
PID 3000 wrote to memory of 2472	3000	mscorsvw.exe	69
PID 3000 wrote to memory of 2472	3000	mscorsvw.exe	69
PID 3000 wrote to memory of 2472	3000	mscorsvw.exe	69
PID 3000 wrote to memory of 2472	3000	mscorsvw.exe	69
PID 3000 wrote to memory of 1972	3000	mscorsvw.exe	70
PID 3000 wrote to memory of 1972	3000	mscorsvw.exe	70
PID 3000 wrote to memory of 1972	3000	mscorsvw.exe	70
PID 3000 wrote to memory of 1972	3000	mscorsvw.exe	70
PID 3000 wrote to memory of 448	3000	mscorsvw.exe	71
PID 3000 wrote to memory of 448	3000	mscorsvw.exe	71
PID 3000 wrote to memory of 448	3000	mscorsvw.exe	71
PID 3000 wrote to memory of 448	3000	mscorsvw.exe	71
PID 3000 wrote to memory of 1788	3000	mscorsvw.exe	72
PID 3000 wrote to memory of 1788	3000	mscorsvw.exe	72
PID 3000 wrote to memory of 1788	3000	mscorsvw.exe	72
PID 3000 wrote to memory of 1788	3000	mscorsvw.exe	72
PID 3000 wrote to memory of 1740	3000	mscorsvw.exe	73
PID 3000 wrote to memory of 1740	3000	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c79c08fdcd271e1752204421917319f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c79c08fdcd271e1752204421917319f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 258 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d0 -NGENProcess 264 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d0 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 25c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 1d0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 1d0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 1d0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 258 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1c0 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2c8 -NGENProcess 2a4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2a0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2a0 -NGENProcess 2a4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2a4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a4 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2bc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2bc -NGENProcess 308 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 318 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 310 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 310 -NGENProcess 320 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 318 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 320 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 320 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 340 -NGENProcess 328 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 328 -NGENProcess 338 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 348 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 328 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 328 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 354 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 328 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 328 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 35c -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 370 -NGENProcess 368 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 350 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 350 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 350 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 39c -NGENProcess 368 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3b0 -NGENProcess 1c0 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3a8 -NGENProcess 3b0 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b8 -NGENProcess 368 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 1c0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 368 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 1c0 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 368 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 1c0 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 1c0 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 3dc -NGENProcess 368 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 368 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 368 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3c0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3c0 -NGENProcess 3f0 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 404 -NGENProcess 368 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 368 -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 40c -NGENProcess 3f0 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f0 -NGENProcess 404 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 414 -NGENProcess 3f8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 410 -NGENProcess 3f0 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2300

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2276

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
590622a2a79f29ef96be3790d10f9b86

SHA1
ecf3e4f798ea4f287a1187b34f46f73a9d5ed77a

SHA256
628a34a1719b227142b08f4dad9c37ec708ae394177aed807696bb2a96e0f32b

SHA512
bb7200a6d404552a5d3f5ba36a37baef9a975c41c0f426bfd63bfa12ec86316a594e343b7b59795dbf57bb5bc2636c9494cb1bdddf01cb9ec0a527c189e060d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
38e2e790eac5909b04e832a6176e9148

SHA1
e0f2e26130a3e756f948c7d411e11477e80a8c10

SHA256
1feecfbf4f3099cc6a611742051fb58af4f3e1ff4b8ca8013e9c907ad8520154

SHA512
3e0aae8b767f16012fb5471105f00acf67368ce221f599dd9b0e5a340389bf197d57297868569a59fd2436e0bcded2c94d47677452500e0a62d5cd28da752a91

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
46bd8ee198bb594ff50cb1b46476e0bf

SHA1
255538e5d553d51fc55d27aeeeb7e46c53683067

SHA256
8102e670f9a5f13a4573100d2b83a7d96afdfc35e776e736db13ec4d4bc2d69e

SHA512
686e462385d331a324ceefc6ef74e4508a2fedba37d1a63e3a3b1e4299530ff6cecaa5fe726c7dd55cace8235aa436c5773e5b76abc0ef4478843693bba1a3ca

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
e6f85bfc267ce006c5c64ab6eed21839

SHA1
084d13fa701a5b0c6a8685547ad7b7d5531c3565

SHA256
42ffd39f0beab428d74e002cacbd18672753dcd61fcb0a415437979e5732a97c

SHA512
1618138a058830f8ce4475589fe04209ff4f3810040a05634025aecc266ef56625a7302320f22c1ba432e5de55dbe68de3de48a784482fdc96616700f406390d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4966f5b280126d0c2b3651fc6ead3295

SHA1
71ec230b94696f91a83fcfe44ff2efed32cfcaa8

SHA256
3c2a3ea7ec69343b9c78539163a282eeed05bde12b871a31316f535ef5dbd443

SHA512
da55b241408f42d655d298ed7a161c2285eaee944e14be20d12ee1172354e7a7086156b7e8929e3c89072a23b327efb504a9deac0bc393465d1d7dbac53c3c9e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
84ca72efbf79e289bcc90292b8a5580b

SHA1
e1246a230739351a44850d75a27bc8052a9462bd

SHA256
9c7bc0480510edd003dc9ee6c8b9cbd42301900b8dfcafc18698c896db1aea1e

SHA512
4d037f7fea337a3343456a7c5a7253f38e479faeeb260a189877c752941f81dc6ff55a1087a78f53251428c49979f4f5fd57580cecb4ce146323b4060df0f877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
190535d4bb56bb0b3e160147978b5231

SHA1
22a744ce1ac0f93df43d66677edca8262ef313a5

SHA256
677d3c4a6b3032090432d04de8205675101c1de98e5b0be8e17a3aeea5069eb3

SHA512
a396977421e9b902dd0201d5a13821bda860294cf17e067c206aad5885d0da5702a9dbf6f96ce60d4ecda8264eda41d77ad9d36a48f0201a3368c066633be5e0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
52a118045424ffe1be8a48d83aa99d84

SHA1
3beeb9b207d3ad980ce61ddc82d0881d2074c1a5

SHA256
013df2142bf14516da81f506b80d4752b816b71f9a0769478fa05eb1a82210b3

SHA512
e5f8c314f0ebdbf2fdd4e8dd6ec16a8ad5299ce867da80b9e26b4fb804bec3e205021fafa163f48dd4dbc6870a02b530c5c5a67f22569fa0d190c79edc6b068e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
5ee6ed383b3f84af0ec1816cd3bee541

SHA1
83837351453d3b5279386a85085879272cf7347b

SHA256
481c6c0ebf61eb38f6126d791f3e53631d8bf4f11cfad67b4bfe2629d6f97fa3

SHA512
aa46e5c7b9c7063dd0d1d05368daf11c046b06afb64a4df5044edda369b4173fb5d41f3bb36886565fd51d61aa5b5ed10824043994b4ad60d4d6db8a52ae0ff5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
e86e685de91e6d50f788e77bf4f2052e

SHA1
fc1c12596ab10b01e5b21e2962239aac7e008d76

SHA256
ac99e76b9506cf22facf9f9efbfd4c86a631473a30709b82ac6028f1e15cb35c

SHA512
6df25dec1d2418c213abfc20c55229fe08e69a9c56d125145c4e8a6d2f58a316c7db6e6e96e065233d2ba0e3f498a60c314f4aefce38c4afe4f032df0328c04c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b572a0173e4076fb3d6230b12d743ae6

SHA1
2c0789e57162c664779880991f0aafc20421492d

SHA256
8d1fa4b499f24f3aa2c8b681970c29312af860f3aa3827dc54bb0916bba815ea

SHA512
6e50342196a778b13807c1469249d343b4ef773f06f5c3f906a9a3515d841fb69ad9e82a69da39bac3ffc8c3f0938c89b5fe6713fcace7bb844620ca6de69627

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
7757c96f4366e366e0e97f0984b51c80

SHA1
4c95db106e6b441a9791a8305cc418d49f40e610

SHA256
323a35a1cb6c55717b7b3fa45a2bf970c316836c1416e4abee1fae3d7d4dccf6

SHA512
d3e7cf9923fd31a6e8e84e6db8471449853ae5e416df104feec1ff7d5161d677b9466fd5a76e51763fb1ea39507b1c29c09005efabdb92d504ec2328d8dcb1a3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4361880637dcae7eedf0511f0b316521

SHA1
52b72ba2900ddc1d6cfcad05c4e578cf6608b5d0

SHA256
e0417e0d4e2b73d69bb9d3526be683f8264246c105584d64a301c48e45004155

SHA512
2f373713f4754a0e86195ec4950ff8b8fd78bf83a15724ab61d79b0e8111e53fae491955cff685b73c910900bef5faeb7631ef368d2875dc6b1ff7001cfe3ef9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
14637eee74bb66dbfb798af56dcf69f8

SHA1
26867c2e648e21c2760aa7516b588489f4c064ab

SHA256
8f77ea60e8bcd7fded74394619c3dc52ebcba99efbe446e093239229c841c489

SHA512
b15b23ffe0e43f861a5d34ff58062da03ead184281cb9e578db33a5a399120df0ddbee62e49d2ca572129a1efddfca0beca88cf887e4d6e8a6c36859cce286f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
27222b4155560da27d5f8c90aa404b10

SHA1
04ba18b8bc6ba66fce158f45eebf41fed2f4b332

SHA256
a0fed4ed22a15d7dc6a22bb35c1cf1d3987fd9bf95aaa7f70133dedd2361d67c

SHA512
d2a9ec1b74880a22db314b64f8c205daabc3d54be708937faa8e29dd94901c00a23d21353cda53ff9fc6a2bc7ddf6a939d84c2037b7cc40ca1a725e2772c8b6c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
8b097f50e7e6e8b3a36f0fe4b736491d

SHA1
93d18707df971bf70e306c47db452f9c85c8f9dc

SHA256
0f6bb14d41aabcef157126262044572fbdb917de5ca46f816644ec98b114ef07

SHA512
e3d9a5c4fa11f54b088c34a2e8ef7bbf61eb8fcdb05b3679a9af5ddbafaf68a32a40a1d904f38cd35eedd724da02d85181520a62160e67905a2b506b76219a87

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
0073fac8851592c97f1d35e502f58642

SHA1
7b9c0e870f5331482cb432922593598d15beebe9

SHA256
1e3931ffd80dc7792aeb34f989c2acecc8d01f60c792c69e765e57d77572411c

SHA512
1289e387e53d4ae1538b4363c0fa5611f7f9d32ea05b8fefcef32cb980460f07e63455f1003c812a8ebf62428e03268ef779c8d163249f6f6bbc413429d2c848

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
52902d2a7232714c31ff02201c92438d

SHA1
553b68d32191176c836ffa2fa7c579e6a220b0a4

SHA256
53bf6eb3fcd471af5109c0c9d7faf68758066d1f570feb1c1a0c9fd74f9999f8

SHA512
9b3ddb2dbad7b4af5c41f04b7beb9d8c1673ba510ecac7081402a1c272d78b69779a0ff20add1356e581c6161ae7756646802a76bc76a7735a85dadb7f4ccdcb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
55e5b15cd3fdb1834feccd8a5e2f9f26

SHA1
c5f97a78b31fbe92a9fee878c5b30532517374f7

SHA256
f01435fb972b92bc1bdd8d4f26188756362d1ee3a5110fa3248c8b6eef841b51

SHA512
ca148e7d354a391bd4189d52518652cce70af16e3f2a3203729b6dd9da47e4185092bab0e5804f1a9bd9e792eb0e4552b8660f70dfcf17618372a8c853015bbc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
1ceb37ca217352a1c7d67752a2486c8a

SHA1
d4354d6110ff53e5583b14b31b07d8767a890719

SHA256
5234fa8ee57ec37e1bd5ea0ec796f4e64ffda27c8c17ac4568e1d1d24098f8fd

SHA512
475b9af4ee6bfd66284738078455ee9e4ab1709f141b3f2f4507491bff0537b1b259c24df1c808d680a1cba851e6b9e80522be517582b6ba4bbba5396d833538

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
40e89a09a5062598c1bfec8f7080c00a

SHA1
8ac94f2af999a6631b0b3e60e3599101f03bc9a1

SHA256
2652b2814568c4b9928f205ec08bd05dbeebedbde3c2fb71f172905273cd3fce

SHA512
3db98bc004c6e754966337e2bba6ea388d47e1e5dcd9304202cb4b989b8b01a67f84f5fc9cc900e6641f95af7903bf25dad2c8d910998fe72309000411a99ad3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1e209ce5266f23d99609286076d7f7a7\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
1dae48c31c10a7004a94604e7f3c940a

SHA1
3cc1ca4f1a0bf3c39cca7a2c66ad27a8a830dd37

SHA256
649800029769d0c44df1fe8037c0eef12677722ba68db312c0d597da33c1d2dc

SHA512
2c5843d5b520aa5cc727920ae3d83388ebe0d297b3aae123005c6d5f5a5327de6b98b8a09d623c2e9b0d295368939b653677105783318bdd74c9a38cb082a0fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2bcda2a9a8612395a58bc7baf5bd7051\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
9d4fbfae7616d8612d327d9bf68be354

SHA1
3a82b7ac5255356c7bbd825d8bdb434de26bd651

SHA256
8fe6bc5f47f3bd1a69c8a3c6dcb852b26d9250c316ace2848566b5f9eb3d7229

SHA512
fa48434f559bc3c034bf1da7e72eee1a0f6a72f9478191ce6394682abe83580577ac902e43fa57382ea1217bfb499099cee5c568ae7042e0efc01bb410abdb55

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\73e36aaf21171fd928e6e47986e51a6b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
9fbf241404c9c75593c5b90ebcaf7b04

SHA1
5987e83224a0817aff5367fb867152fb4061f826

SHA256
7d42794f78df86acf5fbd60bab2cd3fe91296791cddfa97fe9f361ee7716f6e5

SHA512
d082c780f0eaa07a1420e05b52609c2cfb0a4e4a79dcefdee35946dcf820418e506d99a72ed05e188e57227aa1fba23ca6ca1567e289d5c5ff3981ad2f321002

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ff0c8d0a70370b4b881e9bcecad2c536

SHA1
2351bc6f160d7507ea746986b59b5ba93549660d

SHA256
677be82c8bc509c0ce3ad6813da5ebdbc1292fc9027e44a2dedacba9025ef26c

SHA512
1a023bdac9252cda8ed269e624eaf26dd39af5db4f29167a55c3c59df5cdeb82305dc7b55711ee09f4d8212ab0acc200b30084c422c06f9431a1f21638cb6d58

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
fad47a1afad9f1c47de443560cb52a04

SHA1
969838655e905682d537ef6bb2f98a3de7f19c22

SHA256
ce9ea6bb6b526bfafeaa1d6f7221f5f0597a73bb508d5f5ea9f5e5cfbc1d2616

SHA512
6173dbd94fc9eee7975692b91e529841db9b3f862b2438aada97f6ee70abb4fffb1e2182d1ccf2998f4464a0f99b5cd3f160d09f13e2eba8d80211b6444d42de

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.3MB

MD5
4e8212400e49d1319b3ca6ea628028be

SHA1
11012d64fd3790853438cf999b4d4a014bca20de

SHA256
33d8ea8c2fc4d05ea5b8b46bfc1e6a194fc41fd1a89e7c0ab24c5094c9805dc8

SHA512
7b8f95a15a3a11dded570f0cca01f98dd7f3f22557412cd609f93c001fa87d398003eaf23f4d7e0aaea3c799811e75a73f7c423d9edaa5c5b23dbfc32391d6c3

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cfe1b4ba9c301a7f619f8251eafe8a95

SHA1
a899d865a4770f959d751b4be4607abf41b969b7

SHA256
ab56c6634cad64e1f39fdb4e755bffd930f68e9b6a9bc99ed8b44648bb37375a

SHA512
8d69e0bf139e815d56b0ec8a7c69f57b6bd755307f7d14062dd4dfc1b3f1d4a73ae7fa50493e49cd115872f27d00c038c4679c0910a6bd46f2ecbb21213fc1e2

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
bd08779609aef7156cf0a64a53cc0981

SHA1
8da838b5cfc6c67684a56d2aa5f9ac5d0d7109ad

SHA256
5b9e15da32a0f1d3d8e2dc2cf17b5685756723affbb1f38e5762738b5053d46c

SHA512
7d70b54f60ffa996375f578f98c991eb4bfe675422a8a8d354ad68d1e3ebce916074b0231f5694c58410242baffc044f3efe9a8b39810223e4c17820426ef835

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.4MB

MD5
5d08eef2af6296b48a7ecf1d16fb5a8f

SHA1
2b68a065944e31d51d427e40ec949b1841417173

SHA256
be0576c89258f9d17fff1f37e21467fd5a2e62a0f9d0408f8f0b955c03cd58a6

SHA512
4606279825f79f9d59e1e71ea41cef68fca3115169990a113ad05a98a08ba29930484e111994844c1dace5d5654748ad83eb51f11794abb00c821dde46468e8f

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
75b8d957ab9c36044dfb8f379f975be2

SHA1
51c21cc5052ae162dec1b7e3d8fc951ae82e2694

SHA256
408643f54cf0384e8d04a8f84273a1408e48e2c7a4407ccc831cc99cf0460760

SHA512
17efb86a4b5e8cc106a4f0be2e52283bb7805134f8f41fcdb8c601cb76e497b8632b22290d4ae5ab2679b981786d16c89ebfa411cd5679ec2d834f9ae48c635e

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
25dad9283a522e813e4936fadb3bf171

SHA1
5b1f7c6e5817f642e61c983da84bbb7e6368c9bd

SHA256
9b3ecc2e24d5d61ba13245bd6ea59b22fc61c2671763db3622207c16dea0af2e

SHA512
ab6d18339569e26088dfa96ab06cb39fe470c73a1c2925b7781cdb9f3c8e4ec4bfa1590223f28b17357b1847703413f737b6901cb0b4bbe16726c7c5992e1033

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.4MB

MD5
5c0b398fd6673930abf75205b969f3bd

SHA1
4c9d5754c428042c4e1fba0d2898f11c06ebbced

SHA256
7d2831e6b217d216fd360b288d70f2aed4bb0f455c8b51bde6fdb21acbf6387d

SHA512
d81d3421f246634449ef2a12c9092fa1bd2aa2e938014d92925e3ecbf5139fdb4450a1ec21f4a5556d7a89e044ab538cd2507b46cd5f3e09ecf6df1d6c5cc154

Download Submit
memory/352-153-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/352-238-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/808-103-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/808-206-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/808-102-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/808-109-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/808-870-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/808-117-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/808-116-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/840-363-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/840-484-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/928-253-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/928-463-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/944-252-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/944-172-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1264-180-0x00000000005A0000-0x00000000007AD000-memory.dmp

Filesize
2.1MB

Download
memory/1264-260-0x0000000100000000-0x000000010020D000-memory.dmp

Filesize
2.1MB

Download
memory/1264-274-0x00000000005A0000-0x00000000007AD000-memory.dmp

Filesize
2.1MB

Download
memory/1264-177-0x0000000100000000-0x000000010020D000-memory.dmp

Filesize
2.1MB

Download
memory/1416-249-0x0000000100000000-0x000000010026F000-memory.dmp

Filesize
2.4MB

Download
memory/1416-360-0x0000000100000000-0x000000010026F000-memory.dmp

Filesize
2.4MB

Download
memory/1488-114-0x0000000100000000-0x00000001001FF000-memory.dmp

Filesize
2.0MB

Download
memory/1488-13-0x0000000100000000-0x00000001001FF000-memory.dmp

Filesize
2.0MB

Download
memory/1532-35-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/1532-75-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/1532-30-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/1532-29-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/1532-36-0x0000000000430000-0x0000000000497000-memory.dmp

Filesize
412KB

Download
memory/1536-168-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/1536-162-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/1552-217-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1552-115-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1552-786-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1552-118-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1680-783-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1680-284-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1732-263-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1732-280-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1740-665-0x0000000003DC0000-0x0000000003E7A000-memory.dmp

Filesize
744KB

Download
memory/2092-787-0x0000000100000000-0x000000010021F000-memory.dmp

Filesize
2.1MB

Download
memory/2092-289-0x0000000100000000-0x000000010021F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-818-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2132-329-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2232-0-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/2232-188-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/2232-81-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/2232-8-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2232-2-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2276-283-0x000000002E000000-0x000000002E210000-memory.dmp

Filesize
2.1MB

Download
memory/2276-191-0x000000002E000000-0x000000002E210000-memory.dmp

Filesize
2.1MB

Download
memory/2300-226-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2300-808-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2300-142-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2324-301-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2324-275-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2468-224-0x0000000100000000-0x00000001001F0000-memory.dmp

Filesize
1.9MB

Download
memory/2468-304-0x0000000100000000-0x00000001001F0000-memory.dmp

Filesize
1.9MB

Download
memory/2484-328-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-239-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2488-227-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2488-266-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2492-89-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2492-82-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2492-88-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2492-192-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2544-219-0x0000000001000000-0x00000000011F1000-memory.dmp

Filesize
1.9MB

Download
memory/2624-507-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2624-464-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2632-400-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2744-288-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2744-207-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2760-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2760-222-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2860-52-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2860-45-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2860-51-0x0000000010000000-0x0000000010202000-memory.dmp

Filesize
2.0MB

Download
memory/2860-54-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2860-96-0x0000000010000000-0x0000000010202000-memory.dmp

Filesize
2.0MB

Download
memory/2880-326-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2888-24-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2888-18-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/2888-17-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2888-135-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3000-880-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/3000-892-0x00000000023D0000-0x0000000002436000-memory.dmp

Filesize
408KB

Download
memory/3000-65-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/3000-70-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/3000-64-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3000-891-0x00000000023D0000-0x00000000023FA000-memory.dmp

Filesize
168KB

Download
memory/3000-890-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/3000-889-0x00000000023D0000-0x00000000023F4000-memory.dmp

Filesize
144KB

Download
memory/3000-888-0x00000000023D0000-0x0000000002458000-memory.dmp

Filesize
544KB

Download
memory/3000-887-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3000-886-0x00000000023D0000-0x00000000024BC000-memory.dmp

Filesize
944KB

Download
memory/3000-885-0x00000000023D0000-0x000000000256E000-memory.dmp

Filesize
1.6MB

Download
memory/3000-884-0x00000000023D0000-0x0000000002474000-memory.dmp

Filesize
656KB

Download
memory/3000-883-0x00000000023D0000-0x000000000245C000-memory.dmp

Filesize
560KB

Download
memory/3000-882-0x00000000023D0000-0x00000000023EA000-memory.dmp

Filesize
104KB

Download
memory/3000-881-0x00000000023D0000-0x00000000023EE000-memory.dmp

Filesize
120KB

Download
memory/3000-179-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3020-801-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3020-311-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download