821cfc57a2d1cc8f8db3c44abf5803932682f4aaf1c5b2242b22489f8241544c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73c404d7e5be592924d2bf88ac0a59e0N.exe
Size

625KB
MD5

73c404d7e5be592924d2bf88ac0a59e0
SHA1

27701d1802c24a7d9b6002ede4454e896102f4d1
SHA256

821cfc57a2d1cc8f8db3c44abf5803932682f4aaf1c5b2242b22489f8241544c
SHA512

c7d3f809520393dc0ef559d4b46f14eae20d4f88069329f9482b5767f3a764e0b393777c854811faa67f7076f37006e0b6789b701320451f0e4f4500175d0019
SSDEEP

12288:X2GnMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:GGMSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
1740	alg.exe
2716	aspnet_state.exe
2776	mscorsvw.exe
2724	mscorsvw.exe
2744	mscorsvw.exe
2692	mscorsvw.exe
2864	ehRecvr.exe
2984	ehsched.exe
2444	elevation_service.exe
1056	IEEtwCollector.exe
1560	GROOVE.EXE
1332	maintenanceservice.exe
2160	msdtc.exe
2936	msiexec.exe
2428	OSE.EXE
2736	perfhost.exe
2204	locator.exe
2876	snmptrap.exe
2844	vds.exe
1656	vssvc.exe
996	wbengine.exe
1564	WmiApSrv.exe
1172	wmpnetwk.exe
1096	SearchIndexer.exe
2888	mscorsvw.exe
2884	mscorsvw.exe
1436	mscorsvw.exe
2524	mscorsvw.exe
640	mscorsvw.exe
1332	mscorsvw.exe
2284	mscorsvw.exe
2820	mscorsvw.exe
740	mscorsvw.exe
1864	mscorsvw.exe
1616	mscorsvw.exe
1448	mscorsvw.exe
2828	mscorsvw.exe
1764	mscorsvw.exe
2704	mscorsvw.exe
2584	mscorsvw.exe
2980	mscorsvw.exe
2228	mscorsvw.exe
2412	mscorsvw.exe
1460	mscorsvw.exe
1980	mscorsvw.exe
2464	mscorsvw.exe
2980	mscorsvw.exe
1432	mscorsvw.exe
1620	mscorsvw.exe
1792	mscorsvw.exe
712	mscorsvw.exe
764	mscorsvw.exe
2140	mscorsvw.exe
2296	mscorsvw.exe
292	mscorsvw.exe
1676	mscorsvw.exe
2244	mscorsvw.exe
1664	mscorsvw.exe
940	mscorsvw.exe
2016	mscorsvw.exe
340	mscorsvw.exe
2120	mscorsvw.exe
760	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2936	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
748	Process not Found
2296	mscorsvw.exe
2296	mscorsvw.exe
1676	mscorsvw.exe
1676	mscorsvw.exe
1664	mscorsvw.exe
1664	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2120	mscorsvw.exe
2120	mscorsvw.exe
2976	mscorsvw.exe
2976	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
1732	mscorsvw.exe
1732	mscorsvw.exe
872	mscorsvw.exe
872	mscorsvw.exe
2992	mscorsvw.exe
2992	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
1056	mscorsvw.exe
1056	mscorsvw.exe
1308	mscorsvw.exe
1308	mscorsvw.exe
2176	mscorsvw.exe
2176	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
3068	mscorsvw.exe
3068	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fb65d5d81b3662b8.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\System32\vds.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index165.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5706.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index160.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7178.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index162.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP29EE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39A6.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP628A.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index165.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	73c404d7e5be592924d2bf88ac0a59e0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2A8A.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009026131dc4dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000907c7618c4dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1792	ehRec.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe
2716	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2704	73c404d7e5be592924d2bf88ac0a59e0N.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: 33	2288	EhTray.exe
Token: SeIncBasePriorityPrivilege	2288	EhTray.exe
Token: SeDebugPrivilege	1792	ehRec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: 33	2288	EhTray.exe
Token: SeIncBasePriorityPrivilege	2288	EhTray.exe
Token: SeBackupPrivilege	1656	vssvc.exe
Token: SeRestorePrivilege	1656	vssvc.exe
Token: SeAuditPrivilege	1656	vssvc.exe
Token: SeBackupPrivilege	996	wbengine.exe
Token: SeRestorePrivilege	996	wbengine.exe
Token: SeSecurityPrivilege	996	wbengine.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: 33	1172	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1172	wmpnetwk.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeManageVolumePrivilege	1096	SearchIndexer.exe
Token: 33	1096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1096	SearchIndexer.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeDebugPrivilege	1740	alg.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeDebugPrivilege	2716	aspnet_state.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe
Token: SeShutdownPrivilege	2692	mscorsvw.exe
Token: SeShutdownPrivilege	2744	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2288	EhTray.exe
2288	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2288	EhTray.exe
2288	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe
888	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2888	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2888	2692	mscorsvw.exe	57
PID 2692 wrote to memory of 2888	2692	mscorsvw.exe	57
PID 1096 wrote to memory of 888	1096	SearchIndexer.exe	58
PID 1096 wrote to memory of 888	1096	SearchIndexer.exe	58
PID 1096 wrote to memory of 888	1096	SearchIndexer.exe	58
PID 1096 wrote to memory of 2928	1096	SearchIndexer.exe	59
PID 1096 wrote to memory of 2928	1096	SearchIndexer.exe	59
PID 1096 wrote to memory of 2928	1096	SearchIndexer.exe	59
PID 2692 wrote to memory of 2884	2692	mscorsvw.exe	60
PID 2692 wrote to memory of 2884	2692	mscorsvw.exe	60
PID 2692 wrote to memory of 2884	2692	mscorsvw.exe	60
PID 2744 wrote to memory of 1436	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 1436	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 1436	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 1436	2744	mscorsvw.exe	61
PID 2744 wrote to memory of 2524	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 2524	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 2524	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 2524	2744	mscorsvw.exe	62
PID 2744 wrote to memory of 640	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 640	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 640	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 640	2744	mscorsvw.exe	63
PID 2744 wrote to memory of 1332	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 1332	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 1332	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 1332	2744	mscorsvw.exe	64
PID 2744 wrote to memory of 2284	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2284	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2284	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2284	2744	mscorsvw.exe	65
PID 2744 wrote to memory of 2820	2744	mscorsvw.exe	66
PID 2744 wrote to memory of 2820	2744	mscorsvw.exe	66
PID 2744 wrote to memory of 2820	2744	mscorsvw.exe	66
PID 2744 wrote to memory of 2820	2744	mscorsvw.exe	66
PID 2744 wrote to memory of 740	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 740	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 740	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 740	2744	mscorsvw.exe	67
PID 2744 wrote to memory of 1864	2744	mscorsvw.exe	68
PID 2744 wrote to memory of 1864	2744	mscorsvw.exe	68
PID 2744 wrote to memory of 1864	2744	mscorsvw.exe	68
PID 2744 wrote to memory of 1864	2744	mscorsvw.exe	68
PID 2744 wrote to memory of 1616	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1616	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1616	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1616	2744	mscorsvw.exe	69
PID 2744 wrote to memory of 1448	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 1448	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 1448	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 1448	2744	mscorsvw.exe	70
PID 2744 wrote to memory of 2828	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 2828	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 2828	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 2828	2744	mscorsvw.exe	71
PID 2744 wrote to memory of 1764	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1764	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1764	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 1764	2744	mscorsvw.exe	72
PID 2744 wrote to memory of 2704	2744	mscorsvw.exe	73
PID 2744 wrote to memory of 2704	2744	mscorsvw.exe	73
PID 2744 wrote to memory of 2704	2744	mscorsvw.exe	73
PID 2744 wrote to memory of 2704	2744	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\73c404d7e5be592924d2bf88ac0a59e0N.exe
"C:\Users\Admin\AppData\Local\Temp\73c404d7e5be592924d2bf88ac0a59e0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 238 -NGENProcess 1dc -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1e4 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 248 -NGENProcess 238 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1dc -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 258 -NGENProcess 268 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 264 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 27c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 258 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1fc -NGENProcess 1ac -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 254 -NGENProcess 238 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 238 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1ac -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 238 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 27c -NGENProcess 260 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 2b0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b0 -NGENProcess 2ac -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 258 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 258 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 258 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1fc -NGENProcess 2e8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 2f0 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 29c -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2e8 -NGENProcess 1fc -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 1fc -NGENProcess 2d4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 2d4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e8 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 300 -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 30c -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2d4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2d4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2d4 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 310 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 310 -NGENProcess 358 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 368 -NGENProcess 30c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 30c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 358 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 30c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 358 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 30c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 358 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 358 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a0 -NGENProcess 394 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 358 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 39c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 358 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 39c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 358 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 394 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 358 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 39c -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3cc -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3c0 -NGENProcess 39c -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 39c -NGENProcess 3d8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3e4 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d8 -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3f4 -NGENProcess 3c0 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 3c0 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3d8 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 3c0 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3fc -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3d8 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3c0 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3fc -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3d8 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3c0 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3d8 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 3c0 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3fc -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3d8 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 3c0 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3fc -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 3d8 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 3d8 -NGENProcess 43c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 43c -NGENProcess 440 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 454 -NGENProcess 444 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 444 -NGENProcess 3d8 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 45c -NGENProcess 440 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 458 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 3d8 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 440 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 458 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 458 -NGENProcess 464 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 474 -NGENProcess 440 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 440 -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 47c -NGENProcess 464 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 478 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 46c -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 46c -NGENProcess 47c -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 48c -NGENProcess 478 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 478 -NGENProcess 484 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 478 -NGENProcess 48c -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 480 -NGENProcess 484 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 494 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 494 -NGENProcess 484 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 484 -NGENProcess 48c -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 4a8 -NGENProcess 498 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4ac -NGENProcess 4a4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b0 -NGENProcess 48c -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 498 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 498 -NGENProcess 4ac -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4bc -NGENProcess 48c -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 4b8 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 4ac -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 48c -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 48c -NGENProcess 4c0 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 4d0 -NGENProcess 4ac -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 4cc -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4cc -NGENProcess 48c -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4dc -NGENProcess 4ac -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4d8 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 48c -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4ac -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4d8 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 48c -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4ac -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 4d8 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 48c -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4ac -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 4d8 -Pipe 4ec -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 48c -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:388

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
f0b30fe89f0c51f6d1c009263d2ba776

SHA1
f9cc905696210ca6efeaa5b383af83a083c4f284

SHA256
919dda84a95c7660a65d4541bcae7ca718b6308b057e1a17d6da7f4a059c01f1

SHA512
4e0088847039d234f4d3d565774342416f6a33bb812ffda815cbcb53e4739b35e64fe70e73313aecaea62704a2bbefa5c4709dd5656b62da8ea69808932ba66d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
5d691e9e329048ab318a7c20e349b556

SHA1
2c1a0b15ec1fedb1b0f9e0763862b63ae7d915f9

SHA256
50c04a4342a9d90d83b838d5bc1798b3b8aa4734cb4bb939c9b1d7359291e55d

SHA512
dee3da466aa73fbb2c0aa8df1b2282eeee50d0f4de2b7696bebb3353623ca29ca7e9662d4dadc63d7d50c89a0c22611b24d92f3d316858ae38be80ca45531cce

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
adc0c29c69701fc417ccf2cd14d6fa1d

SHA1
9090e96279baa66297f76a350f9a05645f84000a

SHA256
9b9b2e61cd3a687585a6b275231f24eb280c865baaa7e7ac9405c96c0239be17

SHA512
bbe56622e6b1275134d33f2a4819345bbc870fe2d193f5086c66d81109b3f49e76fb1d166e236e249f4128a1a8baed6ea02fbb0196df60809ba6061d79991caf

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
1cfa1b8c835cde253b5f568ca9304b2e

SHA1
f2cb019cbed57afc9d83811243a8b6bcbf8a24b9

SHA256
34705697169bdfc150d22e83b81f2598c2e6b63fd6f29fd7154502751e89a732

SHA512
7903bf056b706889674f10ef898acd2f70deed9e33a6b6f60640e4a707c1b139b3efea34a5f427eb3174245e1e378e7841d4ec1a600f38f8203638c036ad4a6e

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
3e170e881ed45cf64546ed19709c44c2

SHA1
0882d67b8808494c0051067a2405e506f67f73c1

SHA256
7cd07cd41fce5ebe4a395e40f0266cb9299c60a966b993f2aa2dba10cb7e7bfa

SHA512
aaf360b4399ab7c485740de4dd03bc5173abf30cc2c7c91d2aa3405a39a4a86e5b86ccd6a11cc45511a355052a182b43d95e709f5e86eb339fc9a0e96fe982f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
6bd612e2e51a0adca06d1a6f17715c9f

SHA1
e81b192ef799f57cc808c5e31fb1cb7c8143e760

SHA256
ffa49a5880ba56f67358fd8a40b6676fc553c5be1313e3daec285431b83871d6

SHA512
daecf5c0e5794e9b98513286bf52319135d8043f2b3b62c48c918a59a8c7b3020bead91f4d7b3215643db0036d1a95c14c38daa3108745326d9e07159ad81e75

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
209ad2e5ef8b009ab80837d82d6eedc3

SHA1
0c5e151cab6d71155e957c3d8b03a4df2b08e7e8

SHA256
447f3f15cac9f8c953490d74515da1ba7051b30443b9681a0713932ea355238c

SHA512
be8fc605553bb1ceb7e2f7bbf7dd5ae6cff9a558c0818e2e1534a29d1a06a26716b078f1e6bdbb9085b2ecc1e6b7bb9b69c4a29fa2e221372ebf120a2e0571e9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5d25e04459a87c1ae068ab0f6cf4403a

SHA1
aa0fdb4a81f9d4f1f439745e52940d84ad89dc0e

SHA256
c961c5cc1a17b54aa7a8cfde87178bfe96109c5ebdaa8f2745e09108e7fd656c

SHA512
eccabb97a19e4fa811236c804c664d85de718a52f8c65012c93066d1c3f075434537a973d426892a1f1447550913b6476f28c3c230b5d13b08bb5f06bc53e192

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ce98fe0c45b49bacd9512cb6ca5a8c16

SHA1
c93c64dfca4971c721f80fbe45e1a486a201fc15

SHA256
b85efdb42e57635f82bc900d9cf1dc065c4c251f9be6a96937b1db1cd487442b

SHA512
e267f5824b99137ec4cebb5207c717b63532c7c743e969838af66f9ef29586ba8e1075334e0a6d4fef4ed22ec6ca76632213cdbab2afb45133b144e465da92f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5050561dd6ddff05a2a7a1b4e0006257

SHA1
79b9a6088e45303511abb1f66385b7823c536b56

SHA256
5df513d797a83647fd926c1bbc943089e6fd6381e854a937515bcc20f8b629a8

SHA512
aa9a3d12264934334159256969e259da476fe21c1f465b06f2f5bd0e2d9334453ad4e501b5f5bbd78edf6ce21c45c5960e4d24c7c21fe2d3c16f16cd7d124455

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5c88d9558affe9413a31e9ce4ce91a23

SHA1
1bb0cdb8be1179b1aacf9297de2b774fca06e283

SHA256
4ed8e12ed0152bb5af85b8ce3b5fe2b6e3de667b89214d377d1e9f9a5202182c

SHA512
135eb869445ea818c4cdaf06ee4a73bb6a00e902300828e42a2d623dfcf297a6925309f7de28c702e58a4c393ce084f9addde060eca57b4d22363621b2878454

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
750d180110455acff9b70d726d2279a2

SHA1
986535098b1168147b71420c3da12435a54ae83e

SHA256
6327b39be852d98b46355422c3bd082d57eec0620a2857bc9cc12767e57cd344

SHA512
dc5cdd536a93e19f05fa72eabc4165791a4ec4e143d0453f895416c030e216eb55ed93e49b20b54df2866305474c8166084237404975cb057cb5a0acf22a1f1d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
056afa63f48a7c73a48a4a76e839a880

SHA1
de0ce83db3b682affad5ce1157ac2d7e8f207e65

SHA256
cb02373292c5e186bb954ff63c6e2d92743a89159450a680c94ebf7015ac8556

SHA512
874c071acf4489d8436032aaead23bbac705b34387d78182772709bc620602e488edd2352fac93cf3e932c5cbc2a67afb174ba622788f0c1b7d61b1a7f4d7630

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
db2b3df4a307fdcc2db73f9ba984c314

SHA1
d8852ae81f4148dbaf426938f88fdabfa15b504a

SHA256
8b43766e24fff22d5a0d5a5fbb6fbb7027e7eed9fea804ce5daeb4605b96fbfa

SHA512
b399c011d32f0bb34506f4e79c41ed3b6ec27c6d74f10da976a939d197a690cb0cca9374c14430cad79420835d3a752d6186793948c82bbd4454f0254b4c587b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6b454d1619e3db58c1bd57ffd0e6e03a

SHA1
0b36445539e6727f6446763a427779ce5e56588d

SHA256
30089da06533436eaad8ef4df7e0af8675f73b88922321a6238991fbaa0aedc2

SHA512
4ffb751c4890c2d2804ec9e83931cef403ed394a02fff9a7c775290820f7dced385822b27fadda078ee07bfb161d37e3a7b5136481bbae8e94946490a76abac1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f650791ff74937f122b668cc2ea4cab4

SHA1
910042f651e96c381b91e3aa59669b690337e4b0

SHA256
3d559816a9cc958b1b17fb7c9a1ff6a08ba73c6ea83f4f4277e687ff28970bff

SHA512
290b052e19f7368c4359b2131387e378d4b999ca1a52b3f3f6f66e3ea066d5908b14ab3d2838c7473f9787a903fece65339b59bf34903ee368c7c02c31c897fb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b7a068f961cdd75d715923d04d99032b

SHA1
837a32db2b3e3d3b85781e80bdd39a8830c18dbf

SHA256
49bb7a706a144685a4eb715414bf3e25989b64baf919ee874919ac34d9f63213

SHA512
69c973fda0c990566accae9303f8e3e2483bcfa4ccf0ab7bde64ba051261c9eafc3011a8b7b3fc2f65299837986d2f88a6595f06ce13d28b6848b70ce00d0606

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
4a92a836680f68d36e8ef26c312e4650

SHA1
f59e41de14f32b01eee72c7387d22588c4df3ff4

SHA256
8121fa008597a32d9e538a9775319bee75dbf562236d1348ae65ca172f82c0ce

SHA512
c02f7b893834a8ef85e03324127048e034c89bf06d7f1f0dbd2e3d00054f72d6364b0cd3c90a27df1d706150c77cbe3f4022d08f9cfad15f9d997b3bc3968f65

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
8f541d8d98301ed6d8bcf66e8ceb3faf

SHA1
96fbdab0800fc4f0a4c7a9a758cdac690e8507aa

SHA256
f54b4febcbfcef98dd7b133d78b9d1164fffd9efeac75f8e56e03dc09da18f48

SHA512
96bdaf994110281a73d11b2256c7051e12cc196ff9f4cdcf60f4cdf90da86577c9316c7e01c42f9e989424443be1fbe338d6a33c033e41eee20edb9d98728368

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
d5b9bbe0ec625c4fba1d6595fb3d24e1

SHA1
657aa11fcdd1ea55eb33d4dff9e46b2e31e5d92f

SHA256
5a9ea158a55e27c5d6397b4a1dbf1a8bbd0d266d3f7134e2697076c1b5512feb

SHA512
3c491120fdf6dc5b01f393874ab8e04163b1e56aac067489c479b752a3d41b21a91300f7abc987961a57b17411f29b083a1018faa8c1afd64640ce0aaa4d8582

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
45f1a661f3d78258cbd5d8ea05ca7946

SHA1
3f93b611ef81a9fb693b8fa8ce4eb52576ae1c59

SHA256
8e69cc9f8aeccc7d592e28ba3692e88f6eab6af5fecb565f91abae6715891745

SHA512
a84aa8554fd1f718420605a3b6852a573623196b8f2e99b748af99f75387d823b1d472d57b795007afea04336eacaa38d12ffe4ca552d38bb5837fff5b7150e2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
6d272522bd2211feb49bb08dd52490bf

SHA1
e2b969f9837308d13d8ee9972f55485a6bfd51e7

SHA256
890ab81f3e520d867472317ca7fec99f954117be96963a5e5ed7d33ccb3e3e02

SHA512
28c1878bdb682ea34ed18545801eb65c3529d20bb5e48d7d568cb44af19f5c50de7e4d34425abe5671921c2b9a36e2013c1438cbfb7fa2116709a6a79f84f6bb

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
af27ddae005987cfa35588dc9e2fe828

SHA1
9b24ba4feb49c3d7809f2a8b274defb4953bd9fe

SHA256
665b84601d6fcf1828b23055a8ef99ab8d7bf74cf9f35fccd6bfed5c07c10d78

SHA512
26ef08d88fec2463413be5adc555d056087c9f43543253a51f7de137958e5e24e825bc75337d27b2b69d1aaeae8c58fcdb5d01728e8b64b1c9eed10f46f6f2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
608c53d52115e72c35233ed72140dcd0

SHA1
bcde54f44d165bb09c7b1f2ce1966ec8c1aebe9c

SHA256
a5b1e7a09f5ad55b10fb392f7817399fda3d16a766fbbe8dafa7ac03bc31b3eb

SHA512
dfac1b8106210da10261dcf12975b33b0fa7b14646f75339f9c8541a4889201cf501a0118afa4b80868f225d418a08700dc2ffe7b7a3310a566cf338104db333

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
eb7982b7dd3ef6874edf20b8a105a1d9

SHA1
989d72137e37ee8a4d02645c1cf93360acbfa0f4

SHA256
b154df1f421c6a9488d3d6b1dacad5133b96b245643cb38295f9e91e5d08fd21

SHA512
4bd20050b59d40334dd8f5608f36f2133e3b1407ac2530866d83cc84756230f7d4c0bad9edb548ef2f21b730076e053034bb51cdb2f99eb3f6cae12f302a9257

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
da065ddf0a3511789da0985e4a74762b

SHA1
38e249fa321b3a3542501f6b49b005a049ecd0e0

SHA256
ecb8c574df599474767ca87df7eefdc9dbc748e6f6b762e59cfd5e3bfe467499

SHA512
808e4bad71084100a3174175e075cf21d41a2489622603250c7c44e4ec6cc4da7792f6b5931460d5111ce528f2bc3a6df0e36c4f6b6366b005ae721abe14cd7d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
43884bf624fdc899378998ecc3f72fe0

SHA1
8606045cda0e1aa1fcbd3b98c9a22053bcbf84ca

SHA256
af35700c6152ba3c04004ab9ebd1d53e90c345b8d83ce5fc9af3f2ff7ff1fca0

SHA512
85d852f9b37eaf842e2f9605e3e12148a88e89dea2a8de9411ca59729f3129d8236eb235749d3689585e9b6939083c7a952078995d8a767015e831687576423d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
9e0f1b82f425d8184cc166053ea54d8a

SHA1
e1294bc9d43bd072cbbe884f75dc3511abeb0b30

SHA256
a2cc3afae940c418ab26c0c1b88c6ea549388a9eda9abddea19784be40c8cd38

SHA512
b8c58d1362c8616250b99e0749d459a3b52ca420c588bd6c5596e2c45ef6c1c0fe5081af051a4c31a3876991c2b49d8f95a740fcbcc0bcca3ead95690f289d9f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b706f91e1dc3d2620467cf4f14cbfe13

SHA1
c12e7e724c1aa757b54f84119ee67ea0f7f93f35

SHA256
6849c36ba8240dc385084fc73abf148a3e53786ad6c62d37aba2b471375f9818

SHA512
339e5db5851dae8cfee8d6b73357f0b07a757e957058896e22559907d32a226753fbf5b341565db04970ea427792bae802d6ff3ea8f865b1f390f2e2096b4bf8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
ae731e51756bd873f5fd6e4b7a4ad2b3

SHA1
0d850152f070e1da4223b12d1aaad0d4d159b2ae

SHA256
a11d39bb203326f89088539b2d9c2c3ed3a0bacb22e9e1028279a7015d174697

SHA512
b4e2f495445f6acc9024a7985a70c2230c6eafd590e8e7f43770806aca0d229dbf45e15c036c87476426ec0aca122a7f8fb7fbc3bf52cbbc98f7c924f395756d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
f2841a441c1f8295101cbeed64fa3204

SHA1
98b8abb3169979810bc870d9cf5abe6e95638330

SHA256
3cee140024278a8a41713e35553d695c59b8ca7bd7670bbef0d51ffbccb526b3

SHA512
eb7d7d8a602e5520e323ce5a13f7724605c7d06396aa0a977374bf66b07eab8976630695cf2f3bab167dbd2b37b37ab9b43b8038236f0e2324cc4c907c38b11f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
ac222851e663ab55c35a75153840b88b

SHA1
70b61cecfdf95d484e9640240934ad602521e4b2

SHA256
51bcd8dc8285559901b57071718d00235c23801e8b7be1ad9a06469c89618758

SHA512
37a8902299fc38d1cc2fab29f8a26fa14226eb8f7fc78c36e34de2004574e3fc18f95e871f4bbef1647258f9f6d6a85cc74e776edcd91d98d46cb9226ac0b4bc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
4389e0e437755d04d46c3364b19e43af

SHA1
c8da4bf8b2cd5044568c3e6b5e4c398e42977d32

SHA256
2d665a8e57624184bf34d5f40bdd7efe27bce5bf7c3555a2a8d8df79335593a2

SHA512
569fbce459070db20743ab11cc4e9be840aa793924ac7279b8c4cd58f8419c95f36cca79dc006fe4eb44fdc4c4ba459b687b517511bfb3a6df8c2bc39c221bf5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
a509bc85508ebf10adccdeb037a170e8

SHA1
ecc9a73a5a6fe2320b16aa07a69617012b5f7828

SHA256
37158ba2e2fdeccdd93ea5a0e1638377e336994671ef3966d1edf4db783d4b8e

SHA512
fb068fac2037fee2e0e55cf07775eede1028ac613ea1d6a267c5d9c414f39283d34746e5fb2374db21caa245e2220538577e4e706576b67b52c6a5491928b1c0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
86617984ba5cfc17618372d09c98cae2

SHA1
5c65fe6ffd65f17d39627180a8951b8ea21966c1

SHA256
b9611638a68dc5e85fdefab0f335c0b1b2b2af2eb524da208dc8f57398f25442

SHA512
29e0469b9ca8dcb11a6740bce96277251ebaf1317e7065c5dfe6b47c223d011eb4fa455ac3ecd9d68b803e88ed33726b8907082adad15f85c32103e0e7354081

Download Submit
C:\Windows\Temp\Cab5679.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar5717.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
759KB

MD5
37c49cf471f7ad881127f9e38bed1a10

SHA1
473c3a7a28d138ccfff0d971a1ce9360ab990aba

SHA256
9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369

SHA512
e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\29de0de93cca1aedb9b5054c875f765e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
f58f8e0ce139a380268a1bc79a61ba5d

SHA1
ac0034ca57e2dbd1329e824a4c94a4054dcfb597

SHA256
8eef46038a4076b4a7d9b50a1b234c547af157e807f7a261c41231ecfba39b12

SHA512
e45f899434ef947a6fd87d7316f5323dac4d688e358517865861933640bba2479573c7e156a785edb5070489461dd68d0199c8a15529d5db5018331c05b25bb9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\598b3491e3436966bbc7f4d722beb837\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
725dc16d164dd8fce449b3d87b5a9a35

SHA1
b38e512f235ad1a2bbb2c3f8bc96887e645cfd1b

SHA256
e6420e78687e6f44ea8919b94077d76e9c01641e2c9d6bf2e51262aef156e6fc

SHA512
56b9d987f42b93fc043d6d5433dbc90ee8d517efa012b5f5c80116caadc59241d2c0c459ee46ee0be2057f4ede8c61613c5518ea392034208cb04f58d08c5c7c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5b669fb0d0550318c9c709e5a3d5adc6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
a7ecfbf69c7ad947956d560457c1b8f9

SHA1
6f6d7acc89f11fc60d0efadb961474253aa99914

SHA256
fda743c27bdc345a35d8f1c8e26d3ced870adede9c9f591dab4742424276a149

SHA512
ca894d8b0188ec1a6e38a064188f1b6731c45a1d4cf1d8459950dd7d1b0579696c9028bcc6ebe6101d9029cc06522fb7edb01494acd0f1918bb31ab2a185e57c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7cef543e15432b6a00ea1433e2aff388\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
27cf81648d0861aadf4097e12191da9b

SHA1
b43c0af4e9c5200a104ad35aabf4f0d7da18197e

SHA256
26802f99fad0c6e101b71122a3c8d3a70d21483086b2c6b6141657cbb740bbd7

SHA512
4ec112a03410f69d80a1764a604fc861b32a2ade1162ff63ee987f3dcc87cbd767ef4f4fbe7519a271ca236a553f524c80012be7c605b974ded23770abd06087

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
220KB

MD5
5c35887a0b76108f6fb6daac51256ef5

SHA1
3be6ece2f60d205bcb955a5da0aa182d83cc1899

SHA256
9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a

SHA512
0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c1c748a42e51b1de2ce4c3bbd10597ff

SHA1
e7fad8d223adae6ce25990ee8f442e2838f56418

SHA256
98bd172928568aac665e72d44873129f1b3f575ee462298df5a57717daac2ce5

SHA512
d50ecd165c25848ac6dd9c0353b941309697f19399d873879c0f81ae42eb99d8ce4f89b40a7423071fd97e0c070b2939dd1438f1a791fe559c86dd001fe999aa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
dc25054a8e2a25363b62b20543509b1f

SHA1
cd3a525030c3f77e8a587814711e833b0f3fc210

SHA256
9db9e1e9ecc4794626e1dc5cf1d37f822c4391a6b777cb7338241a1bde9f68f3

SHA512
292de281b4ff4c401a9e6dadcbaffa8a9f3967af86b95051b59b6fe0b41617faf3bb003e2fe9d87368c1dae9dbbdd146092fb9d31a51bbd0e7a7adb29b8ed6cf

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0a97dcebf038a22a20961a4f426e0b53

SHA1
4f5675c9b2a5b81e41b8a8db76d8fc6a38a07568

SHA256
bddaf856f32119288ab3d4f6b2255369ca0eda974171ff4e12a8acf7e66606b2

SHA512
0352c4e724d4b1013ef0a1c8e0fcaf95b26e5c28cf217bc73fb982b3ced03b161baa61fe10c68c0cf6b851b2d4df6f4b19ffad9c2f36401ba7161142dfb248e7

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
09e85b327a448dfc18e1e499cb6f5672

SHA1
7486654e132962c0812f189305528a74b24e9ec2

SHA256
30c3d422c075e2bbe3e00dfdb689049d6e002b084e8ebad497a85681d25678dd

SHA512
1fe6e4ca10ecbb2b06f577f526462b21e3313acc09bf5617a5c36a9bdccd088c41684ee9b932686b75c941a1e7f7242bd170d820e68095296ca36047cd5e8533

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
14a85f2c3d2e4bf16baaed34f705ab0a

SHA1
785cab6dd2de56885edf06d2b72b4967eae6234f

SHA256
99706703bd477005ce01edbdda721b2524c81566beee9a850312035ca48e5996

SHA512
6db473c3065d903186093f4b3d4fc8c4ada801bac1c5c445bcea64f0133e7376b970195fa490cf2b186b3a4516d52ea8cd6d5777a1aecf1997cc7b5076296bea

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8485b3edeb00b908cee439eb7a346b9b

SHA1
fead3be7a03b3a7a632c0046a44817eda621ba43

SHA256
57ab301f9cef451e89afe81bbe1bfcc2eaa32e98b7841a958f5b92a350182fa5

SHA512
040296ab87b1e538b5f4d55f287460769e2ccb206f83b5ebaf3abc4555cbb5b7b645e003802d0210ea5ff1d612618771f6bd573e0e22658377faa4b22fee5955

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
464e72c6b330c3f5df07cb2186a569bc

SHA1
48effa1bfcd834b5f229e1169432db1ad6b754eb

SHA256
95964cbf1e74e34b41dbc5b8743f0ac7e23cb680af7bc9f7ecba2fcb417ebbb7

SHA512
afdbbd6a0a13b5cb14bca76164348e70c637f44e544e94659108ce77d41dd8529648ea1cd5de455127a5ec36a6032aa20734e968c29f2e66fe5c5b0c60fbbd70

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
47741b5da7c95298ed7aac82aec6549d

SHA1
b938f1915dc8bcf8afc96644447a73de00b78440

SHA256
28e95547c84bcca39a34a6ee119de025c15e24968a25b5cadaaf309244279df3

SHA512
6a6c16ee2fa6fd218f578045aee052efbc7c75645cb025dc833c86a472da638afc5224b8f22035a95aff434f9190b3b3b6ad018ec559db850ee65ad524c4b5f7

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
b2d64b24a9c7eae27ef9a92314e0ace2

SHA1
b7bc22991999a19d35a7cd3a4cad7ee78182bbde

SHA256
4c2ff6fbf29a7466630b12636e2fb9ee13f66851828bdbd16c3008a43aac57e4

SHA512
89a2e0d4c3940693943078d9172df6d9f491eda75c644deaf3639c5e8f73e7858c44b351296728832bac6d40e0068c6c0b248e3f8013060b595f769cbc982db2

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
f99d70045ba51662bf3af513786c4454

SHA1
0bdce63e2a0c04e0e658e46d22173e0426dc93f0

SHA256
ffc1ed4cbc38c2fc2689471dc194f83ea770acfda2572bc825a3f2dac596a457

SHA512
129df38dd126c25a93dc9d112a2242d7a2164b234a405c363fc45b24b2640c846793f095d1d24bfe6980b3d60de258d4b40ce466e5cd19c678313b88108605d3

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e4f3e514add03ea92d0189d1b7e502b0

SHA1
c6eedb1be9ab231ddfc3dbbcc2f17bc278db3c91

SHA256
8b61f7276b07e8e3e103f2a4244e54bf84222e82bac243bfad210b9d214e6a68

SHA512
aaed50cac1eb8c84fbf99beec6a78301733d7f865152faf03227302e36437de03145618c10f98d9c99372617d91a9ddaddcd21a0288a934211fa0bb2cb8b82a4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
6391cb569a1a4f6ea698ee2a49c52dd5

SHA1
950095e49a7f1894723fb45a8da6fadf74b2e851

SHA256
a96874e58297ed33e0bed428e19f760e7fbf352dc473a8620ea687211fbf9539

SHA512
fc5b9ff8131eb52a1f15abdf0fa485d88b6e61b78ca6296f41f029e18c1083d8bc6db417f157b568ffaf33d84b3ef1e5f9c1404eae9d5da101d98b7a37bf0f85

Download Submit
memory/640-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/640-663-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/740-710-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/740-699-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/996-293-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/996-669-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1056-158-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1056-268-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1056-949-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1096-711-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1096-340-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1172-698-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1172-325-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1332-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1332-179-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1332-197-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1332-662-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1432-862-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1436-615-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-735-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-743-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1460-822-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1460-819-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1560-169-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1560-289-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1564-687-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1564-306-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/1616-716-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1616-727-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1620-872-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1656-290-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1656-661-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1740-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1740-20-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/1740-118-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1740-14-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/1740-22-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/1764-760-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1792-980-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1864-712-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1864-720-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1980-832-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-305-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2160-185-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2204-250-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2204-585-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2228-808-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2412-811-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-496-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2428-225-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2444-264-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2444-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2464-842-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-611-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-620-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2584-780-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2692-217-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2692-96-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2692-90-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2692-89-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2704-6-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2704-433-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2704-770-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2704-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2704-70-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2704-7-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2704-1-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2716-36-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2716-27-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2716-28-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2716-137-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2724-62-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2724-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2724-56-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2724-107-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2736-239-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2736-544-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2744-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-77-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/2744-209-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2744-72-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/2776-45-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2776-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2776-40-0x00000000004C0000-0x0000000000526000-memory.dmp

Filesize
408KB

Download
memory/2776-84-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2820-688-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-756-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2844-632-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2844-269-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2864-116-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2864-119-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-231-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-955-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2864-110-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/2876-610-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2876-266-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2884-545-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2884-575-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2888-548-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2888-495-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2936-201-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2936-212-0x00000000005E0000-0x0000000000692000-memory.dmp

Filesize
712KB

Download
memory/2936-318-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2980-791-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2980-788-0x0000000003D90000-0x0000000003E4A000-memory.dmp

Filesize
744KB

Download
memory/2980-852-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2984-893-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2984-130-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2984-243-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download