95a6cf632b2a875eb38f7233bca559143c3f06216e459c059251a7b62b8b7fa0

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acd7d069120120fcbc09aef8d0369100N.exe
Size

648KB
MD5

acd7d069120120fcbc09aef8d0369100
SHA1

05786ab1c635d7a27a9ec78e1e968cd87d2bb382
SHA256

95a6cf632b2a875eb38f7233bca559143c3f06216e459c059251a7b62b8b7fa0
SHA512

ead07f6dbfcf2c904640c9d2f2caadb35663ac848c6bba14b3c8c389626e9bceeee5abf642e99b016a9d4d12a5d92ec558f17d1c9a624ec2c853a6ecf6b55241
SSDEEP

12288:Vqz2DWUEUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8c:4z2DWHatr0zAiX90z/F0jsFB3SQk/

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
1752	alg.exe
2732	aspnet_state.exe
2756	mscorsvw.exe
1656	mscorsvw.exe
2332	mscorsvw.exe
2016	mscorsvw.exe
1712	ehRecvr.exe
1764	ehsched.exe
1276	elevation_service.exe
752	IEEtwCollector.exe
976	GROOVE.EXE
2052	maintenanceservice.exe
1632	msdtc.exe
2552	msiexec.exe
2828	OSE.EXE
2640	perfhost.exe
2372	locator.exe
1440	snmptrap.exe
2684	vds.exe
2584	vssvc.exe
1076	wbengine.exe
880	WmiApSrv.exe
2980	wmpnetwk.exe
2880	SearchIndexer.exe
2252	mscorsvw.exe
2000	mscorsvw.exe
2304	mscorsvw.exe
2860	mscorsvw.exe
2932	mscorsvw.exe
2000	mscorsvw.exe
2160	mscorsvw.exe
2572	mscorsvw.exe
2628	mscorsvw.exe
1508	mscorsvw.exe
2024	mscorsvw.exe
3040	mscorsvw.exe
2572	mscorsvw.exe
1932	mscorsvw.exe
2460	mscorsvw.exe
2488	mscorsvw.exe
2912	mscorsvw.exe
1476	mscorsvw.exe
652	mscorsvw.exe
1800	mscorsvw.exe
2816	mscorsvw.exe
2988	mscorsvw.exe
2180	mscorsvw.exe
1700	mscorsvw.exe
2736	mscorsvw.exe
2328	mscorsvw.exe
2740	mscorsvw.exe
2864	mscorsvw.exe
2628	mscorsvw.exe
2064	mscorsvw.exe
400	mscorsvw.exe
872	mscorsvw.exe
2252	mscorsvw.exe
3000	mscorsvw.exe
2132	mscorsvw.exe
2592	mscorsvw.exe
2500	mscorsvw.exe
2352	mscorsvw.exe
2740	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2552	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
760	Process not Found
2064	mscorsvw.exe
2064	mscorsvw.exe
872	mscorsvw.exe
872	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
2352	mscorsvw.exe
2352	mscorsvw.exe
2272	mscorsvw.exe
2272	mscorsvw.exe
264	mscorsvw.exe
264	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe
1996	mscorsvw.exe
1996	mscorsvw.exe
2028	mscorsvw.exe
2028	mscorsvw.exe
872	mscorsvw.exe
872	mscorsvw.exe
2976	mscorsvw.exe
2976	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2864	mscorsvw.exe
2864	mscorsvw.exe
1476	mscorsvw.exe
1476	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
2460	mscorsvw.exe
2460	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
2556	mscorsvw.exe
2556	mscorsvw.exe
2860	mscorsvw.exe
2860	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
2976	mscorsvw.exe
2976	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\System32\alg.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\vds.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\672df266ea99359a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\locator.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\FormatReceive.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E9.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18ED.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	acd7d069120120fcbc09aef8d0369100N.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index154.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP669F.tmp\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF3.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6577.tmp\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2456	ehRec.exe
2732	aspnet_state.exe
2732	aspnet_state.exe
2732	aspnet_state.exe
2732	aspnet_state.exe
2732	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2988	acd7d069120120fcbc09aef8d0369100N.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: 33	2604	EhTray.exe
Token: SeIncBasePriorityPrivilege	2604	EhTray.exe
Token: SeDebugPrivilege	2456	ehRec.exe
Token: SeRestorePrivilege	2552	msiexec.exe
Token: SeTakeOwnershipPrivilege	2552	msiexec.exe
Token: SeSecurityPrivilege	2552	msiexec.exe
Token: 33	2604	EhTray.exe
Token: SeIncBasePriorityPrivilege	2604	EhTray.exe
Token: SeBackupPrivilege	2584	vssvc.exe
Token: SeRestorePrivilege	2584	vssvc.exe
Token: SeAuditPrivilege	2584	vssvc.exe
Token: SeBackupPrivilege	1076	wbengine.exe
Token: SeRestorePrivilege	1076	wbengine.exe
Token: SeSecurityPrivilege	1076	wbengine.exe
Token: 33	2980	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2980	wmpnetwk.exe
Token: SeManageVolumePrivilege	2880	SearchIndexer.exe
Token: 33	2880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2880	SearchIndexer.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeDebugPrivilege	1752	alg.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeDebugPrivilege	2732	aspnet_state.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2332	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2604	EhTray.exe
2604	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2604	EhTray.exe
2604	EhTray.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe
1148	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1148	2880	SearchIndexer.exe	57
PID 2880 wrote to memory of 1148	2880	SearchIndexer.exe	57
PID 2880 wrote to memory of 1148	2880	SearchIndexer.exe	57
PID 2880 wrote to memory of 1792	2880	SearchIndexer.exe	58
PID 2880 wrote to memory of 1792	2880	SearchIndexer.exe	58
PID 2880 wrote to memory of 1792	2880	SearchIndexer.exe	58
PID 2332 wrote to memory of 2252	2332	mscorsvw.exe	59
PID 2332 wrote to memory of 2252	2332	mscorsvw.exe	59
PID 2332 wrote to memory of 2252	2332	mscorsvw.exe	59
PID 2332 wrote to memory of 2252	2332	mscorsvw.exe	59
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2304	2332	mscorsvw.exe	61
PID 2332 wrote to memory of 2304	2332	mscorsvw.exe	61
PID 2332 wrote to memory of 2304	2332	mscorsvw.exe	61
PID 2332 wrote to memory of 2304	2332	mscorsvw.exe	61
PID 2332 wrote to memory of 2860	2332	mscorsvw.exe	62
PID 2332 wrote to memory of 2860	2332	mscorsvw.exe	62
PID 2332 wrote to memory of 2860	2332	mscorsvw.exe	62
PID 2332 wrote to memory of 2860	2332	mscorsvw.exe	62
PID 2332 wrote to memory of 2932	2332	mscorsvw.exe	63
PID 2332 wrote to memory of 2932	2332	mscorsvw.exe	63
PID 2332 wrote to memory of 2932	2332	mscorsvw.exe	63
PID 2332 wrote to memory of 2932	2332	mscorsvw.exe	63
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2000	2332	mscorsvw.exe	64
PID 2332 wrote to memory of 2160	2332	mscorsvw.exe	65
PID 2332 wrote to memory of 2160	2332	mscorsvw.exe	65
PID 2332 wrote to memory of 2160	2332	mscorsvw.exe	65
PID 2332 wrote to memory of 2160	2332	mscorsvw.exe	65
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2628	2332	mscorsvw.exe	67
PID 2332 wrote to memory of 2628	2332	mscorsvw.exe	67
PID 2332 wrote to memory of 2628	2332	mscorsvw.exe	67
PID 2332 wrote to memory of 2628	2332	mscorsvw.exe	67
PID 2332 wrote to memory of 1508	2332	mscorsvw.exe	68
PID 2332 wrote to memory of 1508	2332	mscorsvw.exe	68
PID 2332 wrote to memory of 1508	2332	mscorsvw.exe	68
PID 2332 wrote to memory of 1508	2332	mscorsvw.exe	68
PID 2332 wrote to memory of 2024	2332	mscorsvw.exe	69
PID 2332 wrote to memory of 2024	2332	mscorsvw.exe	69
PID 2332 wrote to memory of 2024	2332	mscorsvw.exe	69
PID 2332 wrote to memory of 2024	2332	mscorsvw.exe	69
PID 2332 wrote to memory of 3040	2332	mscorsvw.exe	70
PID 2332 wrote to memory of 3040	2332	mscorsvw.exe	70
PID 2332 wrote to memory of 3040	2332	mscorsvw.exe	70
PID 2332 wrote to memory of 3040	2332	mscorsvw.exe	70
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 2572	2332	mscorsvw.exe	71
PID 2332 wrote to memory of 1932	2332	mscorsvw.exe	72
PID 2332 wrote to memory of 1932	2332	mscorsvw.exe	72
PID 2332 wrote to memory of 1932	2332	mscorsvw.exe	72
PID 2332 wrote to memory of 1932	2332	mscorsvw.exe	72
PID 2332 wrote to memory of 2460	2332	mscorsvw.exe	73
PID 2332 wrote to memory of 2460	2332	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\acd7d069120120fcbc09aef8d0369100N.exe
"C:\Users\Admin\AppData\Local\Temp\acd7d069120120fcbc09aef8d0369100N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 26c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 218 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1e0 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 250 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 278 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 21c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2a8 -NGENProcess 248 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 248 -NGENProcess 1c4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 250 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 250 -NGENProcess 2a8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2a4 -NGENProcess 1c4 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1c4 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 26c -NGENProcess 2a8 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 2a4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 254 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 26c -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 26c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2bc -NGENProcess 254 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 254 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2dc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2dc -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 308 -NGENProcess 31c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 314 -NGENProcess 32c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 324 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 31c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 31c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 308 -NGENProcess 344 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 34c -NGENProcess 324 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 31c -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 324 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 31c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 344 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 324 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 31c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 36c -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 354 -NGENProcess 31c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 31c -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 378 -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 354 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 32c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 32c -NGENProcess 37c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 31c -NGENProcess 38c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 394 -NGENProcess 384 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 384 -NGENProcess 32c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 39c -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 38c -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3a4 -NGENProcess 32c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 32c -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3ac -NGENProcess 394 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a8 -NGENProcess 32c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3b8 -NGENProcess 394 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 32c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3b4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 32c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d0 -NGENProcess 3b4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3bc -NGENProcess 394 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3c8 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3b4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 394 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e8 -NGENProcess 3e4 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3d0 -NGENProcess 3c8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3dc -NGENProcess 3e0 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 32c -NGENProcess 3f4 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3e8 -NGENProcess 3c8 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 394 -NGENProcess 3fc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3fc -NGENProcess 32c -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 40c -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3c8 -NGENProcess 394 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 414 -NGENProcess 32c -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 394 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 414 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3dc -NGENProcess 394 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 394 -NGENProcess 41c -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 42c -NGENProcess 414 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 414 -NGENProcess 3dc -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 41c -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 430 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3dc -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 3dc -NGENProcess 434 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 444 -NGENProcess 430 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 430 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 44c -NGENProcess 434 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 448 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 448 -NGENProcess 430 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 430 -NGENProcess 448 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 448 -NGENProcess 434 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 460 -NGENProcess 414 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 434 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 414 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 414 -NGENProcess 464 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 47c -NGENProcess 434 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 480 -NGENProcess 460 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 484 -NGENProcess 464 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 434 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 434 -NGENProcess 480 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 490 -NGENProcess 464 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 494 -NGENProcess 48c -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 48c -NGENProcess 434 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 49c -NGENProcess 464 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 4a4 -NGENProcess 434 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4a8 -NGENProcess 464 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4ac -NGENProcess 498 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 4b0 -NGENProcess 434 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b0 -NGENProcess 4ac -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 49c -NGENProcess 434 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4bc -NGENProcess 4a8 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4c0 -NGENProcess 4ac -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c4 -NGENProcess 434 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 4a8 -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 4ac -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 434 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4d4 -NGENProcess 4a8 -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4d8 -NGENProcess 4ac -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 434 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e0 -NGENProcess 4a8 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4e4 -NGENProcess 4ac -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 434 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 4a8 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4e0 -NGENProcess 4ac -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4d8 -NGENProcess 4f0 -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4f8 -NGENProcess 4a8 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 4ac -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4f0 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 4e8 -NGENProcess 4f8 -Pipe 4ec -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 508 -NGENProcess 4d8 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4f0 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4f8 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4d8 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4f0 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4f8 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 51c -NGENProcess 518 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 508 -NGENProcess 4f8 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 528 -NGENProcess 514 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 518 -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4f8 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 514 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 518 -Pipe 51c -Comment "NGen Worker Process"
  2⤵
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 4f8 -Pipe 508 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 4f8 -NGENProcess 530 -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 528 -NGENProcess 540 -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 548 -NGENProcess 538 -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 530 -Pipe 534 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 540 -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 538 -Pipe 53c -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 530 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 540 -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 538 -Pipe 548 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 530 -Pipe 54c -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 540 -Pipe 550 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 538 -Pipe 554 -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 530 -Pipe 558 -Comment "NGen Worker Process"
  2⤵
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 574 -NGENProcess 540 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 574 -InterruptEvent 578 -NGENProcess 538 -Pipe 560 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 568 -Pipe 564 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 580 -NGENProcess 540 -Pipe 570 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 538 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 568 -Pipe 56c -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 540 -Pipe 574 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 590 -NGENProcess 538 -Pipe 578 -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 568 -Pipe 57c -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 540 -Pipe 580 -Comment "NGen Worker Process"
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 538 -Pipe 584 -Comment "NGen Worker Process"
  2⤵
  PID:1864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:752

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:880

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
e50cffc4a935a5a69501a5bab703370c

SHA1
88eca431c72fbeedca5023cfbc241d1e52716708

SHA256
2f4ff8630c8f2ffedf8b3ffb11c2545d9ed61f8819dd88b0ea49324689bace96

SHA512
2986e9f98283dc64f29fe42c3d5cf7bfa26685e280f1fd83829fbb8502728f901849ee66f1237b7416581bfe7c5d0f95ef2de0921916b580f0c117b08cbe3592

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
a19e6a1cabd438b08435cf2894f48f15

SHA1
fc9870d80c7ca74eb013e7bd6d0279dcd166bcb3

SHA256
a62a96c2cc0fe66ae5e92eed92703ccf0179cb2a336a981d5767727db03f0df3

SHA512
01da827c5bc31d7c393e65f56e9d92c4e1351ee6978a1dd96196050ed8eefa7a6486fc9bbcda0365f9d114a080fc861c00ad12aba91611bf9eac5930dbccfc17

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
87229f8ee40bb618972f00b0c25c1b02

SHA1
6545d530173a744c5df768a6993b228561146727

SHA256
325320c80efbf4ea66dec12c02ab17482317eb7f8794030153b028991b29878a

SHA512
b00b8cdc7d0de963fc33bfe7a5df76bd1ac1fe3a09fe4cb12dc37ad37ee2f364b831c08f4fe08c8cf1637c4d5a504ad182b12880514077d20b20e271783ad752

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
25dc1dc7b61be1027a07e29fed2736e2

SHA1
5bcea29dfeecab724f2f0c397db72feabd43a955

SHA256
f82be40d5d69b03ca6e9f02bb9e0fb265643df7ea116e08dbbb595d1d4e33017

SHA512
1bbfa094886c7d60f7b98c5e0ef98f15b7afdf6602a9b84f21c2ad4ba61570b775fe38432c4b9a729dbe19dab50bd45dc92b6d6553d3d36ffb0b51601d9f627c

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
7e6090e1445bf8195b54127a8acf1923

SHA1
95157d36e6e6a2aa6b59aa1df46b60a9fc1a7e35

SHA256
61fcfcc43bbeb59e1401a54be05f927b12b9386f577e65c4bd34372598845738

SHA512
fa112e4fdbfc82173d3287eafdcdd412c0247a93a82a328b600786cb8a814d9c8c7d197ba5737fd71ae95d18bfa22960044fc484bd53b1273c90b08ee809849e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ce6e9ec2853401bb20994ec3df9dde3a

SHA1
ccdc000b03e04b7a601766176294038830420a7a

SHA256
8c29d918143271b0df005fb8fdfd977c2c99020be6e9d707a5c60f8def2f91e0

SHA512
051fc3e0878c55f0f63f825ce7caf45d643c96f04798e516b87f60e64be3887f690b7ee300f5559781044400c4722796d0a54aaf80b28f6ad7ced3642733bf05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
45444fcf7eb90faa256f37931b05111a

SHA1
6328d5d154366120dab504b7a107a4f5e8629d20

SHA256
8bad9327b3aa1a0d0570091f9ad0fdca7b1e91629303de01ee9946e323b13179

SHA512
09e88510cb72bec0c47d866c2a9ceb27ec2684ac996e305a30c16940474b844cd9d79bf78dff5165c19111e64a1f1269ca2ffef5bc8c5d006a89877f9217a2db

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
12ecf9bdc7533290c7464a96e6d5c79a

SHA1
d3b540146b4645bdb92d2acf44f9deea86108f5c

SHA256
03b6bff5b07ad3e0a853d26e1ce2c3941899941d5cbea6ab9560e60ddd8c777e

SHA512
a913b78443aba07b3dc3866a3db337eb3c62232b9a2fbdd5373434438ff67ebb72a14e21381d4277dda930902522cfdd7c3d3f726923b9683ce2bf75c0519947

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7210a2cbd2c238ac290ef766f4a6132d

SHA1
c2f7c5ff373832e4e11e64211058b08e202d4e17

SHA256
18259dbcf91c7457cd5b943c32ae4bd158fd0ff741f88d29cad03df110b10ae7

SHA512
e2b1debbe80abce41da92c37d1f03d8694e54cdbb8503a542cdbb99d13a8abede8d34fd24f32bc348502e3d041528a745f27ab265689eff5e672b2bb4d210474

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1d04f1f590d4dc1bb79e550aad997f1a

SHA1
5ed974f7befb95ba747d616917d2a108aa90a1f2

SHA256
38ffaddeac6cc1aadd907424ace9e898c5f151b68322c6727faecbf61f32b782

SHA512
c17bfdfb04be37060aa94fc6022a8955413a269d02df8bd9f9e0d94f3c7ac77398c8142b071894d9f6b73363026024b822bc86ac045f29f65430f08b770ec799

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e975b157d5a2d29c787d37756056df42

SHA1
d7313b8c1a34c8d01f428a1d039b18f18a955b8e

SHA256
c11c06a28ee428d9ff7ee309459badde6e4880cacd70495c1166c26fbb8f6a39

SHA512
21b134f0b828d9ecf29c3fa17e72a96aa9a891df09ba8bbfe01592955de6eb689ab6731a43d52bf92f381badd592e07750371a5c1c2018dd8c41fd9e16d6a82a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
497badda46a43b72f0e36b80f587cf68

SHA1
4698bfc8de472213cf8d8b2d627ccee64fc889a6

SHA256
c2e44851dd9269214d62cfabfa2487e39ae474b5fd3fdd7de2fd338808121b14

SHA512
6fe3ba5ceb26af24efdb364ee5af51018c6e2e0021dca8a213d5688a52a379bb64f307ca3c58cea5e90a3dd4851dc1182bad6fd3cfa0408b41e75731f9db8f0b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5f9f0270e622f0ad95d3ca4638eacef2

SHA1
99feffc418abc3038b21697aa6655d624a47d017

SHA256
cdee71ff6c5699bccc01a377126d97243326b7aae26f592156f285f46cfb6633

SHA512
fe005de9386747d610c2ae4cd2aa3dc3b498a9cc8324b1c9d30c1ac4946abb263b5b507ba3840b357e941c389f358be22b8204a7c2d490fccd222f2b416a0d9d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e330741e1cbcfdf7992a762a1d2ded8d

SHA1
1bdc90d120367adeb22ce655f50777d324a90392

SHA256
92b2099418e30d7a56170ed844667e33a1315dafa8251e0f7a5a7b23ad5981d4

SHA512
4504afa442332a00f1aabaa9ea642c04a5571673fe2e2818681f1b19e894495b95793e2db514a8e252e58becedac3158714a469af17afa04fdd6bf8eb8436495

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
58a0f7925759e5a3cacfdffb50d82de4

SHA1
d6e9da89dfaa9a344d404b9e28018722d83eb3d7

SHA256
5507f9dbb41e7c7d84982c52e5bc6c8ae0f7fa374deb02249391a94ab401acff

SHA512
6da21e267d55ec2d3909e3de61f62c73f160e5dfa1321db2d4b1ac302ddd434f4cfa3ca5c15a99b8bbbaaf8579377bc4c53d0aed5fbaec125134510577e5b196

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
d86d7eaf4d901fa353ab2a8237f1754c

SHA1
620732135f179f95347ddac86a3327e29bd64d0a

SHA256
df1ffdbcf37e99aa0a3b53adfb791e4e9bf422274e52b5d510bbd7465745606b

SHA512
ed88532b4e430c7467d16b7935770a9ef1f744ce6e1f1e5b97b595594e8c7f0b2394ac1ab4333350cbb0fe19d7fb4d9d25429845249d75531dc39767b95eef6e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
6aac6aa78a4e45987545295ce27fd1f7

SHA1
ad57c8dbdb9fc90700aac62bfc8253535eb65435

SHA256
19dbed636656012f8ddc90b9a77777f4964d7649048c26d1b899ceed0ff002a1

SHA512
e366f20cb5bc74445ff8efb8f09b2381e5657f27171dbb24f459fe4a2a4a05ad9a0eb62c468c5678ee8aeccbc5d841db570b75dc704caf6d4b600df25269e00c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
4f39a3ba2163575c2102ad25e891ac35

SHA1
3361739e95ccb2c45831c5077f6fd7f9a54fe506

SHA256
bf1ff16fc3c10709cae81e38a8d465fd21047eacd44d6045606c6e685bb5347a

SHA512
b8c8b788b6ad88da1727b574f4a4a9a1a319da79ec9d972b50c3c93a472684b1687e1b60a7c6ab9b2feec17e755430b7e11c78ea13962ea1878869c43185a4b1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
ac9182bec731d920908aad4ea8abaa38

SHA1
7da0588f0660f7444f51eceb23796faec845ecb4

SHA256
ec0034c767ba1d8e574a76b71bf72a6c368d113d7e40ddb83565cc358f0a1197

SHA512
e7b7753de117aec2c3e6a17b331ebe1232586a9e99f9ae5615ffa8b0f01442c469d20e42828398914988c1ef48e812975e2c8dc53fb5872c4313edb7c01a129d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
94173230a056909eab3a332d39fafc48

SHA1
d6b3f2b62131948b6b34ee98e59d1387fbf10d3e

SHA256
aa1a57b2c6c519b2fbdfa31efe5fe39b94433c685bf056577dcd649a29765267

SHA512
b4c07832975646deaa34a1a7b82dc2d02db777331e2e85a8ed19035216b68e18e383cfd9d60ccbf9cb56a8c4807b05e52534c47f47de652dbecacefacf6cede7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
525931cde297c23da1d99d041b3e5f79

SHA1
77fcf3e015975b60d66e1f6db7e74b83b604006c

SHA256
328b289ef18fe5f5215cd7774861376612c48cb7af2a99903578dd55f4440893

SHA512
be00dcb99dc01e372ef18758661efb1eef39047aabeaeb39434162d2b59da38c0940fdfc65b8e011a130667fba062cf2f79505418ae71eed882f4ccc7a6c5748

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
de491b28171c0fd8f5c341c0ba76d9b2

SHA1
574ade6611e08a959a1729974c0dadfbe55068f4

SHA256
c37b9a2d3aedcb1ed40233952dc7fec45cf2649df2e3661d01344f1aabf47505

SHA512
72d5cd2f15499c702246e6f0ea67cf9352b5a8ccf9e4541ff6c83bbb322af5a2c8ff7bcaf42a9f5f3c7a965369a5183dec8df43dbaf9fba72f01f3aa2875f148

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
4a8f498dc6e9ea37589b9e897be3e0d3

SHA1
d70f9735d4c329b3a80c466bf895f0c2709368d7

SHA256
a7bc0ef91b93a229baca3208f4e3509332b98b4e0cea3af7258113c85e8b079a

SHA512
c4a72f1c8c4a442ef950df6450a7bc84ac290361b9a034649eae507c197d3bfdf2084449db5e990fa3eda1209bd7fcd1847505bf0923918d746400b00e06edc8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
914ccd5abf3969f3b7a886c57cec5202

SHA1
db8e5f8c1f038a8f3401b49d2ea394f3995ec18d

SHA256
1125a4e1266c297122c7341938776ad9a5bbf782e2dfd2db7589787fcda31d30

SHA512
0207b8db600c0eb47b46f663f9eeb09db5c71fab34e5221b4611413a7a19629821986da37c2ff5cb06997c09df220be59cec4d0e1cdaf567f082c89782056a77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
24d8a8e5c4674ca966539027f996d1b1

SHA1
25eb67b8b64996d63aadceff21bb9ea9a7ca7395

SHA256
27c4c86e98409dce405da9ad9aa1c51483dab5f99579b5a510e704861aa02d33

SHA512
98fbf21e27c96d42cb4b9333082ce2b09d104a9a5407169d637978546aaf2caca316bd9cbc1ca815c9022de1f85a85d8fa1121e5e39e8abaaf3f0e3b9cc68e55

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
0be483196afa896add1961881ce58e00

SHA1
fbf2e80607c08494ef59be106d34b1739eb9718a

SHA256
e4b570188a1ad3555782b043e97d8a9994739ad246afef0bbbae9383d145a0bf

SHA512
19ea4fdaa9ccc5b73cf5197daa9652974fb11320317c61ed5ce1d12225b340c1c622c91824a24bac6ba9b6df78070922128ddefdc9e1c67a6f5976d3bb38e8ab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
9b2371aac9c41073fced3691116d4217

SHA1
0ebe5cbee5478e387d4f327de717212df279c544

SHA256
187ae808007a35640decf36ea31ccf1dd6634ab67509b7051e984a534d5118e7

SHA512
529a96fbf057930076d0b0adf3cb2006c0ff9c9fb90345330fdc45effd795647222412dc49ed2d74d0976b53208f12ec5810a995a95f900d41432cc96bea5aad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
ef5780a5235e6875f26845881314c3bf

SHA1
3bc66aeeb8ef7cee2235bb8ed2b202776cec4d73

SHA256
6e2ab0d04dd17769597e2d832cf13457266cd575e17ef0b034ee3c45b2ae0cc9

SHA512
f2ec74b0ff9a94a3917db8efdd829e22a72353710153200518bc51656cf959f4ae36c564f3f8ff07c5536280e85ed47b0aea3bd24b8557e5b9f88ccf43e6761f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
055cbf3a1146d248f1d3797ba987e0b0

SHA1
26b1c5a33b920ab510fe08cdf7225d88a9410c09

SHA256
0bc9b81eba539385f70b365b87d124267bbd444151241fd5966b0203ef2674b5

SHA512
f08a1ecd0611e7d09eb42fea6f1305e2f8fb841923749f92f18bdc040ac45f50004019fa2db636d54042a45e74e51ac7553964e412ddc3ab660081ee3504cb1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
7c9cfcdf5ec1c18af89a46212f4c5a82

SHA1
dab349d8b81ccfd46c1a3244d06ab5dbd7b16b34

SHA256
5c8386066e5f8bc67791f22ce4e45740616e7ba9cd57b1f95474dbd9afb257c7

SHA512
24914abc988d1c33816490b02af67208b12801fdbbaf2cd5e58d3db9357708aae6becf2eee845532a533bcc71a7e22aebdcf5ebc0625c8daf8f9314c0ba8674f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
50f0736b9953c8bdebac4dbb87852818

SHA1
8018bb7aa9e44b47ffc7c954f7a05281fa135b2c

SHA256
b9eb89a3c7309cf771cd21efcee7fa79e0a59d894cbb325bdff57c476e82f2f3

SHA512
05f25c8443b76c116302697f82b3b964c451e6e84bcf3efbf1fa67aeab22c963704ce85281b09550ebe9a4274f6822fb0cf32da62821263711e32ce4ece38393

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
9c68bfa9aa50277d4aa117286bbfb547

SHA1
254e837dbd501d118436fdbee4fad3dead8559bd

SHA256
982105b11d05e205e6bdf5c0e6d8f4922dc28a6b8195869ba7501beda2ab2471

SHA512
794a7ed8a6021dd31f4339bd871c450290633a11b8c29c8839d6456f04288ddb9451ec18a15234f75c8f54376e18872141a58c1acaf7bd846bd28cd1e17b1aea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
0d9e32a6f78b580004c1a7063733547a

SHA1
fcff4e3cd30a17552324357b4afa91f3d41664d8

SHA256
16bca33fe84fc98ac02d9661c2710817bf9eef630a8092e41b2d58b4d29aeb77

SHA512
00ecd33bf8a22621609f7ac2457877e1c56e122e2ccfefb66287221307c669fc3d38b95816010af84ec1d46b2026ddebd2cb0a08000103da8ec26cb3518237ec

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
a37cecdfbea64786a36b4022e386015f

SHA1
d433a094f8d7bbba0bd17222c859eb5ab72fef1e

SHA256
acd2b7b339fe8e3034017635409f0fcce5bd7d8111f7e1c69ade20d23971aade

SHA512
085502228c88c4cc6f5c2418666df08d1a4ab8a508fd0ff83c20d425951c333da8f9c4349486c4f2bb4db14cc66ac3e376d56fe8442385f8512cc3f265af5e18

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
694426fe2b53dd8148bcd309097d9875

SHA1
28b0f37ba05dbd130eac0d4ef58d836aa85c1036

SHA256
12bbfae6a4c9342656174d439425c16c6880eaefd4f52ac035f670da04bc3ee6

SHA512
0a1a3308c216c7c2392f01872b56fa18265904f03410974679b18960040eb684d05069ff8109e264ecdf2c37740ee736a8115fcb6cae6dc10fb09153d4a4423a

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
d964489b540dff212e68d1257a9e799b

SHA1
803f32b79f4e65398779ef6d69bf4f60dc696856

SHA256
d7e9124abc6f4fe09b9f7f055a2be1dbf78e8841055ea62029356991e6178770

SHA512
ad3640674766e52a3902bc48de47b8391024a4a9dc2c7806db7203ef6760a277202be2a1b29f9ce7eb49b390467d6272a8d0556143ec0f26a485c50cfed3c5b4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
80bf72716bee04bd4c63831e7cdf6993

SHA1
a2f98354973832db3c9d23dc91fb731bfecabe76

SHA256
fecdf9be7e203439a224feb9f4159a3366c9d26aaea96fc8b69071141ca83291

SHA512
d6a72b838079a328b00121c4213960008ad640b4f09709eb7d9339117b55cc73fefd785090ae1cd9aad67d38f38347555b42134f500b132a7a5accb8296d7c9a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
0ffb41a306342c216fb3492ed0e89337

SHA1
9e2cee2516c95ed4d9c138aa59e168087fd2d1b5

SHA256
871ea46bba17251c1330832397db803085c18ab0fc924f39f153a20a4e7d67d2

SHA512
617c5cc99089f62031f6184ec0b563b1ca600e34de4ef2c68374007bbf54546729e8b5e66e25e5e4ffdc57c7093bc9c3cfd94969bef9cfea6b0290bbc3a6fa35

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
445a731e102c4daa18f93108eb37d9ac

SHA1
852a3cae6f04fecf21b0fe9cc62588e6ef49b570

SHA256
f658f8a3387b3ca2056bfe684dd687aaafebacfe362a3407ec01eebd1ed9090c

SHA512
8e1ffbb98ba585fa96b03c02f79f80dc79009db6f1c806e8f1b1050fd972f2c5fe49078ebfa84f0cf02606c31c7b15f0d7ea7a40093eda52582d9518f8153d51

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
2b8b7b4f6e66ae12dddc91404b8053ce

SHA1
b65d75742af04c74cc9700156e6702e36d49a20f

SHA256
b1c29ba2ee1b571523065adb933f40959c546b3fab7bb303ee5e6920e1467de8

SHA512
5ead8cf73f6db6337458d37b93f9e7d41c83050292ead9b79ff1cfbfd1efddb02678ca7a07c1b7f63c9ea43d7589579efeb3cbeb59bc7ea96300f3a9fc4ba3e9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\00cf0faa3d37faa0ea2d240c1ca307ef\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
75c84340d765d73eac1c743a31b6571a

SHA1
52aeef700a52b8e687316f42816eb9c0599354df

SHA256
b72a1f7da8b3c3dc95c2252319f6f3e71c81ed8bd59a5b31bd2861e14c364459

SHA512
9a9cdbc3a103e733150fae265c594dd7378ca402521387e466732f2431472a6a0e6cb4dfe02fe9f5b975a1739c685471ad2a4dddcdf6f12c4b5be469832fd5f1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
158KB

MD5
a763a9348ab4ee3bd593bb17d854e51b

SHA1
4d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9

SHA256
b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b

SHA512
e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
296KB

MD5
7687295a6e19cc656b077e6a61629d4e

SHA1
fa1025de5cffb56a3d1f8cae9d09b7171b33326e

SHA256
ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86

SHA512
19de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
356KB

MD5
87111e9d98dc79165dfc98a1fb93100b

SHA1
4f5182e5ce810f6ba3bdb3418ad33c916b6013c8

SHA256
971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42

SHA512
abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d3da27723f045f2bcbf3a8910b78bf5\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
ee90a4a4bffb23ca2921260f41b6bebe

SHA1
711e6be3f370156d6b28613aff5cd60e9cffa5c6

SHA256
7d9f3fa67407c40021c153f5ff1af283cafcb4f1767480b1f2eecfb934dafdc4

SHA512
26f8d68a6bb84355681937774a3dd6161e9788eb7d1ddb2d46e244f476fdef00bdfbeaa40113cffd39c36c93ca9dee029aab99e8c03700281dbb81aa242cb354

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\59a8779f56e5920bea2b009d74b516a4\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
b5c33e2a2c4af44b39f00d5328383549

SHA1
6b2978d3adc3495ff0d4882577780351a2dda374

SHA256
77a4f430d4598378d2152a64b28729c28ac841685662b816fd2c16bbd29fd3aa

SHA512
cbb25166ca511fb8d823f35653d1d348570714a5eb881e49f8b9e37dd9c2b75f55037590f162cdb14d80b94075e57f8498fced9baa2ff179a12e369fa5b3b6c9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
157KB

MD5
7bdf8e0c9aa04b71a52dd964005f4363

SHA1
a87e809146d3c70093a189c37f0a96b8bd0ce525

SHA256
0406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b

SHA512
4983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
648KB

MD5
7ebbba07bc6d54efd912bcd78b560b7b

SHA1
a6aee1a80ddcdf201301ac29293c62d58bcc941d

SHA256
637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a

SHA512
2139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.2MB

MD5
0637ad2bf6fc5ac1d29e547155bc818c

SHA1
a502879466b6dd37eae5881bbb18353f97623852

SHA256
868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f

SHA512
1d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
607KB

MD5
e9ca062e4958cc25400c804029a5bf62

SHA1
1ed4374d0d0f568936fdebe17d9110481d6b3344

SHA256
a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0

SHA512
43a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
65KB

MD5
da9f9a01a99bd98104b19a95eeef256c

SHA1
272071d5bbc0c234bc2f63dfcd5a90f83079bbab

SHA256
b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d

SHA512
dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
329KB

MD5
eb09a7062a66a50fe2cb16c4a80561a7

SHA1
33b4c71ced7644be9802374a4f04c866394daaca

SHA256
e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256

SHA512
c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
141KB

MD5
58cacef7cbc000bb5ddeedc08a598f36

SHA1
f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7

SHA256
124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270

SHA512
9cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
278KB

MD5
d74d434aa70ce827715b5e0ac7eda5be

SHA1
b53f3374be4c96af51c78fd873de1360f17c200f

SHA256
54701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496

SHA512
631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d36d5faf337c14ca97417ad2d1b160d9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
93d0775e417ce3677d7f01cee57f5140

SHA1
6c178349e4b6d3026732ed5186a1fe0860bc1e9b

SHA256
aca40c4be1ac4db099f03389d34da9764f226ecbfab53dbf15ca43f04ad93bc5

SHA512
267e573ebb93e1e2f0dae8777525e2975a259cc3f013e3e3815ebeaf688354401fbdc03775b12c0a7348595aa60d3ec3b9147079ebd6f383b832f2f66857e266

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
93a7a59391ef0155d614fb8854f24095

SHA1
af0d7d981e75d2af983ef88bc1786bbfcbd0f46b

SHA256
c07b331044b5b1cb5a1c0f8e06b96e39d20da89ce5a9c7e4a5f75fa112446dd2

SHA512
40c86dfbf8e25dbb260e85df27c648e35633bb7c0adfe2f4965a8ca363b536f63e90378652b576f4a83ba3f72b5ad7508452a848e0b26430b4e9e69157544524

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
54b1bbe6c009ed1d95ce3f9c39c08431

SHA1
0677dc327dd7335656d7d5db9a087f9b198310fe

SHA256
bc767c65911d1d1e6150c899816fb5a5835685bb17a213283e637502c3c2879a

SHA512
e77e6f9b2f286a9e1a9380c7dcb6104731e0bbba802e092b2a42b9e4d130d6c02b8e1c98eb87d4a31df903c867f0185ddfb71a00e3ac2772b89b926e8761024c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
b7ecf91d7c44d21769cab17f0ffddd70

SHA1
1960e0fdfdf0827fa99131e58004c6a142789c90

SHA256
d78be4f9687be19f479494f0ff949d7543d52a0bf77054f0324c22aae9097562

SHA512
07bd57b468e2db253304da72d25b3ce321438e187ede9e034db3b8f512aed237b67b8dcb8611f09807c0b8883d09de96a48e59ed4d303633eaf38912602cd9ca

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
bce560d761395f94e870d1798edbfa35

SHA1
db2fba4ba9950d6b62a88bec75583d96427ea528

SHA256
dd2fcb4cf6bd0bc5be7be4f1c1fef03162f2ed62eaaebbdecf4a9df9e8a907e1

SHA512
d12068b51704a31ddb59e3c700bb61386173cdc445a2fc0f5ccd3fe203adc166849aef71861040bad3f7bf10e118edd3676f19076c73e1de56e518f1e41e3ef7

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8e45363d735f85a1f7c127deb3bf1717

SHA1
6c9eabeb74ae2282cad7969eba5418737fe721ad

SHA256
d77113b1424d72abcb14daf04d7b2b5811d38c71cd72005dab84e1360120d15e

SHA512
96d4ad1486977765f15ddac6e61c49cc59c58a9f72c590e5c8edafcd3070c767c03074a60d018ebae747628c1c0edf29f86555dd5d2ef7cf8e4c99de26e3c35a

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
e0a02fd6a178924b7f2f65b92abf4f15

SHA1
6cb3d4f049d308cafe35a17d6bfc9ad5a0ab2467

SHA256
53c78b74bbf8ea2f30556d2ae8d171933424af6c3029d178f5c2a19a826b4b7c

SHA512
5584a9583d5c6f3701c2a77d6bf4bdd596401f4e938032b7fc08731d2277b8b66e420214d5c32200c503e1864edaa16dfe795775684daa63c6d92fcc1490ba0b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
04a7502686e7896df056d6fee3dce4b3

SHA1
a5d2cf9c739e1fecb1df51d1d6c12406abe941d7

SHA256
a8e73c8b32156a9b22ad1e52699c61c6bac1b8e229cb0f27c3533fdd2e0718a6

SHA512
7283f34d68d6cb8416c8260181654c0d3e446b3f5fb74fa42106c31febbe8bee172e918f66f75710f2801ab4c334e659b9f1078950ec852f7565501ca21113d1

Download Submit
memory/652-828-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/652-814-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/752-269-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/752-151-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/880-665-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/880-313-0x0000000100000000-0x00000001000C4000-memory.dmp

Filesize
784KB

Download
memory/976-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/976-170-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1076-315-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1276-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1276-145-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1440-267-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1440-634-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/1476-808-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1476-798-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-705-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1632-186-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1632-326-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/1656-91-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1656-64-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1656-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1656-56-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1712-111-0x0000000000280000-0x00000000002E0000-memory.dmp

Filesize
384KB

Download
memory/1712-231-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1712-120-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1752-119-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1752-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1752-15-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1752-23-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1764-124-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1764-244-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1800-831-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1800-827-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-764-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-618-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-621-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-666-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2000-669-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2016-101-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2016-94-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2016-216-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2024-716-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2024-726-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-198-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2052-172-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2160-680-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-677-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-599-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-609-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-630-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-633-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2332-204-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2332-77-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2332-72-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2332-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2372-253-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2372-629-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/2460-772-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2460-783-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-780-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2488-786-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2552-205-0x0000000000540000-0x00000000005F2000-memory.dmp

Filesize
712KB

Download
memory/2552-331-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2552-597-0x0000000000540000-0x00000000005F2000-memory.dmp

Filesize
712KB

Download
memory/2552-202-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2572-749-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-737-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-689-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2572-701-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2584-312-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2628-697-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2628-704-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2640-617-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2640-239-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/2684-270-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2684-653-0x0000000100000000-0x0000000100114000-memory.dmp

Filesize
1.1MB

Download
memory/2732-28-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2732-144-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2732-29-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2732-35-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2756-82-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2756-45-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2756-39-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2756-40-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2816-842-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2816-837-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-598-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2828-224-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2860-642-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-652-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-332-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2880-692-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2912-797-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2912-787-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-654-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2932-657-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2980-688-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2980-328-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2988-0-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2988-576-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2988-852-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2988-93-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2988-575-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2988-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2988-9-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3040-736-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download