a4390ea375af6ba1bd049cca169b5625ee6324f1f764f8cfe52b4d8e1d5ab2b5

Analysis

max time kernel
120s
max time network
111s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad186fbf3c31a13e121aff47e3407150N.exe
Size

1.3MB
MD5

ad186fbf3c31a13e121aff47e3407150
SHA1

779f0081b7f17be3371733d76942dc2afaf83f9c
SHA256

a4390ea375af6ba1bd049cca169b5625ee6324f1f764f8cfe52b4d8e1d5ab2b5
SHA512

943be3bc6c285b10fd2105215c82ada02896254cd64a01e8f8f40e784f36019c19a6b6bf29bf2602f7f3d3de37eca7d6be39faedfca5c71185106b25f33d3d9e
SSDEEP

24576:44oTPkCgwCbae/Fk6Ovgc9xVirnlBUKZ408vTZrX+lgdW:RoTcwSFkeYiLlBUKubZrX+ld

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2864	alg.exe
2412	aspnet_state.exe
2368	mscorsvw.exe
2712	mscorsvw.exe
2580	mscorsvw.exe
1964	mscorsvw.exe
1064	ehRecvr.exe
2900	ehsched.exe
444	elevation_service.exe
1716	IEEtwCollector.exe
340	GROOVE.EXE
2444	maintenanceservice.exe
2312	msdtc.exe
2940	msiexec.exe
1728	OSE.EXE
288	perfhost.exe
2356	locator.exe
1704	snmptrap.exe
1424	vds.exe
1304	vssvc.exe
2256	wbengine.exe
2992	WmiApSrv.exe
2800	wmpnetwk.exe
1916	SearchIndexer.exe
2680	mscorsvw.exe
1120	mscorsvw.exe
2072	mscorsvw.exe
2244	mscorsvw.exe
1444	mscorsvw.exe
2444	mscorsvw.exe
716	mscorsvw.exe
2244	mscorsvw.exe
2664	mscorsvw.exe
484	mscorsvw.exe
2756	mscorsvw.exe
576	mscorsvw.exe
3004	mscorsvw.exe
1460	mscorsvw.exe
2060	mscorsvw.exe
2520	mscorsvw.exe
1156	mscorsvw.exe
1688	mscorsvw.exe
2796	mscorsvw.exe
2368	mscorsvw.exe
1084	mscorsvw.exe
1076	mscorsvw.exe
576	mscorsvw.exe
1920	mscorsvw.exe
2612	mscorsvw.exe
2680	mscorsvw.exe
1360	mscorsvw.exe
1764	mscorsvw.exe
2168	mscorsvw.exe
1996	mscorsvw.exe
1076	mscorsvw.exe
2500	mscorsvw.exe
496	mscorsvw.exe
656	mscorsvw.exe
828	mscorsvw.exe
584	mscorsvw.exe
2384	mscorsvw.exe
1372	mscorsvw.exe
2036	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2940	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
748	Process not Found
1996	mscorsvw.exe
1996	mscorsvw.exe
2500	mscorsvw.exe
2500	mscorsvw.exe
656	mscorsvw.exe
656	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
1372	mscorsvw.exe
1372	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
804	mscorsvw.exe
804	mscorsvw.exe
1120	mscorsvw.exe
1120	mscorsvw.exe
552	mscorsvw.exe
552	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
1980	mscorsvw.exe
1980	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
2664	mscorsvw.exe
2664	mscorsvw.exe
2372	mscorsvw.exe
2372	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
2928	mscorsvw.exe
2928	mscorsvw.exe
1248	mscorsvw.exe
1248	mscorsvw.exe
1312	mscorsvw.exe
1312	mscorsvw.exe
280	mscorsvw.exe
280	mscorsvw.exe
2168	mscorsvw.exe
2168	mscorsvw.exe
1808	mscorsvw.exe
1808	mscorsvw.exe
2520	mscorsvw.exe
2520	mscorsvw.exe
2252	mscorsvw.exe
2252	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2045835164d8c98a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\locator.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\System32\vds.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6873.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index165.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP40F6.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP59B4.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ad186fbf3c31a13e121aff47e3407150N.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP42EA.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index162.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8CD5.tmp\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP89C9.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP85F2.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP37D2.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad186fbf3c31a13e121aff47e3407150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1872	ehRec.exe
2412	aspnet_state.exe
2412	aspnet_state.exe
2412	aspnet_state.exe
2412	aspnet_state.exe
2412	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2512	ad186fbf3c31a13e121aff47e3407150N.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: 33	2640	EhTray.exe
Token: SeIncBasePriorityPrivilege	2640	EhTray.exe
Token: SeDebugPrivilege	1872	ehRec.exe
Token: 33	2640	EhTray.exe
Token: SeIncBasePriorityPrivilege	2640	EhTray.exe
Token: SeRestorePrivilege	2940	msiexec.exe
Token: SeTakeOwnershipPrivilege	2940	msiexec.exe
Token: SeSecurityPrivilege	2940	msiexec.exe
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeBackupPrivilege	2256	wbengine.exe
Token: SeRestorePrivilege	2256	wbengine.exe
Token: SeSecurityPrivilege	2256	wbengine.exe
Token: 33	2800	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2800	wmpnetwk.exe
Token: SeManageVolumePrivilege	1916	SearchIndexer.exe
Token: 33	1916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1916	SearchIndexer.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeDebugPrivilege	2864	alg.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeDebugPrivilege	2412	aspnet_state.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe
Token: SeShutdownPrivilege	1964	mscorsvw.exe
Token: SeShutdownPrivilege	2580	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2640	EhTray.exe
2640	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2640	EhTray.exe
2640	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe
3020	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3020	1916	SearchIndexer.exe	57
PID 1916 wrote to memory of 3020	1916	SearchIndexer.exe	57
PID 1916 wrote to memory of 3020	1916	SearchIndexer.exe	57
PID 1916 wrote to memory of 1184	1916	SearchIndexer.exe	58
PID 1916 wrote to memory of 1184	1916	SearchIndexer.exe	58
PID 1916 wrote to memory of 1184	1916	SearchIndexer.exe	58
PID 1964 wrote to memory of 2680	1964	mscorsvw.exe	59
PID 1964 wrote to memory of 2680	1964	mscorsvw.exe	59
PID 1964 wrote to memory of 2680	1964	mscorsvw.exe	59
PID 1964 wrote to memory of 1120	1964	mscorsvw.exe	60
PID 1964 wrote to memory of 1120	1964	mscorsvw.exe	60
PID 1964 wrote to memory of 1120	1964	mscorsvw.exe	60
PID 2580 wrote to memory of 2072	2580	mscorsvw.exe	61
PID 2580 wrote to memory of 2072	2580	mscorsvw.exe	61
PID 2580 wrote to memory of 2072	2580	mscorsvw.exe	61
PID 2580 wrote to memory of 2072	2580	mscorsvw.exe	61
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 1444	2580	mscorsvw.exe	63
PID 2580 wrote to memory of 1444	2580	mscorsvw.exe	63
PID 2580 wrote to memory of 1444	2580	mscorsvw.exe	63
PID 2580 wrote to memory of 1444	2580	mscorsvw.exe	63
PID 2580 wrote to memory of 2444	2580	mscorsvw.exe	64
PID 2580 wrote to memory of 2444	2580	mscorsvw.exe	64
PID 2580 wrote to memory of 2444	2580	mscorsvw.exe	64
PID 2580 wrote to memory of 2444	2580	mscorsvw.exe	64
PID 2580 wrote to memory of 716	2580	mscorsvw.exe	65
PID 2580 wrote to memory of 716	2580	mscorsvw.exe	65
PID 2580 wrote to memory of 716	2580	mscorsvw.exe	65
PID 2580 wrote to memory of 716	2580	mscorsvw.exe	65
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2244	2580	mscorsvw.exe	66
PID 2580 wrote to memory of 2664	2580	mscorsvw.exe	67
PID 2580 wrote to memory of 2664	2580	mscorsvw.exe	67
PID 2580 wrote to memory of 2664	2580	mscorsvw.exe	67
PID 2580 wrote to memory of 2664	2580	mscorsvw.exe	67
PID 2580 wrote to memory of 484	2580	mscorsvw.exe	68
PID 2580 wrote to memory of 484	2580	mscorsvw.exe	68
PID 2580 wrote to memory of 484	2580	mscorsvw.exe	68
PID 2580 wrote to memory of 484	2580	mscorsvw.exe	68
PID 2580 wrote to memory of 2756	2580	mscorsvw.exe	69
PID 2580 wrote to memory of 2756	2580	mscorsvw.exe	69
PID 2580 wrote to memory of 2756	2580	mscorsvw.exe	69
PID 2580 wrote to memory of 2756	2580	mscorsvw.exe	69
PID 2580 wrote to memory of 576	2580	mscorsvw.exe	70
PID 2580 wrote to memory of 576	2580	mscorsvw.exe	70
PID 2580 wrote to memory of 576	2580	mscorsvw.exe	70
PID 2580 wrote to memory of 576	2580	mscorsvw.exe	70
PID 2580 wrote to memory of 3004	2580	mscorsvw.exe	71
PID 2580 wrote to memory of 3004	2580	mscorsvw.exe	71
PID 2580 wrote to memory of 3004	2580	mscorsvw.exe	71
PID 2580 wrote to memory of 3004	2580	mscorsvw.exe	71
PID 2580 wrote to memory of 1460	2580	mscorsvw.exe	72
PID 2580 wrote to memory of 1460	2580	mscorsvw.exe	72
PID 2580 wrote to memory of 1460	2580	mscorsvw.exe	72
PID 2580 wrote to memory of 1460	2580	mscorsvw.exe	72
PID 2580 wrote to memory of 2060	2580	mscorsvw.exe	73
PID 2580 wrote to memory of 2060	2580	mscorsvw.exe	73
PID 2580 wrote to memory of 2060	2580	mscorsvw.exe	73
PID 2580 wrote to memory of 2060	2580	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ad186fbf3c31a13e121aff47e3407150N.exe
"C:\Users\Admin\AppData\Local\Temp\ad186fbf3c31a13e121aff47e3407150N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2368

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 23c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 238 -NGENProcess 1d0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1d4 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 248 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 238 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 274 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 25c -NGENProcess 278 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 238 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 238 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 1c8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 204 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1c8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 1c8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 204 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 204 -NGENProcess 22c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 284 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 258 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 290 -NGENProcess 258 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 258 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 298 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b8 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2d0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 304 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 318 -NGENProcess 2f0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 324 -NGENProcess 308 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f0 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 308 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 310 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 308 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 310 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 308 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 310 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2f0 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 308 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 310 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2f0 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 2f0 -NGENProcess 360 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 370 -NGENProcess 310 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 310 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 360 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 310 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 360 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 310 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 360 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 310 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 36c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 360 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 310 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 36c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 360 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 310 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 36c -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 360 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 310 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 36c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 360 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 310 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3d4 -NGENProcess 3c8 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3bc -NGENProcess 310 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3dc -NGENProcess 3cc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c8 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 310 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 310 -NGENProcess 3dc -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 3ec -NGENProcess 3c8 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c8 -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3f4 -NGENProcess 3dc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 3f8 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f8 -NGENProcess 3dc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 40c -NGENProcess 3e4 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 408 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3dc -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3e4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 408 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3dc -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3e4 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 408 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3dc -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 3dc -NGENProcess 420 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 418 -NGENProcess 430 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 438 -NGENProcess 428 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 420 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 430 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 428 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 428 -NGENProcess 438 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 3dc -NGENProcess 448 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 450 -NGENProcess 440 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 438 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 3dc -NGENProcess 45c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 43c -NGENProcess 438 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 438 -NGENProcess 458 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 464 -NGENProcess 45c -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 460 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 458 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 45c -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 460 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 46c -NGENProcess 47c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 438 -NGENProcess 460 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 460 -NGENProcess 478 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 484 -NGENProcess 440 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 480 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 48c -NGENProcess 478 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 478 -NGENProcess 484 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 494 -NGENProcess 480 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 480 -NGENProcess 48c -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 49c -NGENProcess 484 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 498 -NGENProcess 480 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 480 -NGENProcess 498 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 498 -NGENProcess 484 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4b0 -NGENProcess 460 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4ac -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 484 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 460 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b4 -NGENProcess 4c4 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 480 -NGENProcess 460 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 4c8 -NGENProcess 4bc -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 4c4 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 460 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 460 -NGENProcess 4c8 -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 4d8 -NGENProcess 4c4 -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 4d4 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4d4 -NGENProcess 460 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4e4 -NGENProcess 4c4 -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4e0 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 460 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 4c4 -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4e0 -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 460 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 4c4 -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 4c4 -NGENProcess 4f0 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4e8 -NGENProcess 500 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 508 -NGENProcess 4f8 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4f0 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 50c -NGENProcess 508 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 4f4 -NGENProcess 4f0 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 51c -NGENProcess 4e8 -Pipe 518 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 460 -NGENProcess 4f8 -Pipe 508 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 520 -NGENProcess 510 -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 4e8 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4f8 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 510 -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4e8 -Pipe 51c -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4f8 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 510 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 4e8 -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 534 -NGENProcess 544 -Pipe 538 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 528 -NGENProcess 4e8 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 548 -NGENProcess 510 -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 544 -Pipe 53c -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 4e8 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 510 -Pipe 540 -Comment "NGen Worker Process"
  2⤵
  PID:1356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 558 -NGENProcess 544 -Pipe 534 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 4e8 -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 510 -Pipe 548 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 544 -Pipe 54c -Comment "NGen Worker Process"
  2⤵
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 4e8 -Pipe 550 -Comment "NGen Worker Process"
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 510 -Pipe 554 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 544 -Pipe 558 -Comment "NGen Worker Process"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 4e8 -NGENProcess 574 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 57c -NGENProcess 510 -Pipe 578 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 57c -InterruptEvent 560 -NGENProcess 4f0 -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 580 -NGENProcess 568 -Pipe 564 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 510 -Pipe 56c -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 4f0 -Pipe 570 -Comment "NGen Worker Process"
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 568 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 590 -NGENProcess 510 -Pipe 57c -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 594 -NGENProcess 4f0 -Pipe 560 -Comment "NGen Worker Process"
  2⤵
  PID:1372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 598 -NGENProcess 568 -Pipe 580 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 59c -NGENProcess 594 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 5a0 -NGENProcess 4f0 -Pipe 588 -Comment "NGen Worker Process"
  2⤵
  PID:1800

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:444

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1716

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
b3b8154b4dadc2fa1dc7f9ce388517b4

SHA1
65c0e8b64c53c685e245d6213fdbe67213768bab

SHA256
3fb924ebad16c77efbe6e53f84d72564379bfe0d4374afe97e54b37bcf481cd7

SHA512
f4dd16348dd238aa5f6f148c4c3ad1b09a8cd39404745782373dd192f0ed4df7b812fcd2451a9422e8684bd64ed5e159357b14233e8365137648327992bd49c5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
ff9676aa68d8270d0442e8d02e20fbfc

SHA1
8165978e24359fd0d137867909f86a6702f12338

SHA256
b86be8ebd9efb322cb130e29d04eeca15ced3077e6dd2003d96d14c889f1b5bf

SHA512
0f2e5b11af96cee9ef1d3bb8ce81257d5be01b875cb9d1b40a1d2b4fb6a002f51fbc3781679251186bc2eab1b03bfe667598d44b61b64df7f3f208711cd3dc5e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
2c0fcc037324b35597dba9f4c0325b17

SHA1
82228885072b6e39cddf2a274d6a00ec96c980c0

SHA256
3aa647a7ce373b29fe2b9f138475be79d90159ab8b40935be9f962cce4722c81

SHA512
e6a46c58a30cdbd88e2bfe304547223bd18a6d6cd13f0789b571b7c824ad90677b8d17dbe6224b056f9ced5c24579ea24ccceef7c4748cbd8779090a09dfb8c7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
9eb94a72bd7bc70deabdb613da416040

SHA1
449266c62967c9fe0235ed8029a5938a3ff76f1d

SHA256
6e2f20d068592038dc7c28189f1dc5e4a8404271f07dd90e491db83de9c4e398

SHA512
100f6fe67536e7bebc3b350ce775689d62eb57e47d8900d7696a47a325ef47e505382d21d29784b48afcd56cf68288c7eea7c118dcee11425a5a5e8b4f6a49a8

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
00b8d41f79f68295be6e65709338d2c4

SHA1
95d8f78920820071ac27f3a82e124e60a8ffbfb4

SHA256
768bea82929d13001e150f522419a91ed7e7b1333c9ca7af50d482527b2b18fa

SHA512
04cf211d91620d321ef5474a7c2651e389d8ade24da779fa2310dfe61d95255672a243296d84c6ee483727dbdd682a7501125375b03d255ebfd54ef639046f1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
edb15f0d5f878ce238319018b964d2c9

SHA1
1969bbc9f162a8465b1599fc62e5b0780f11d96b

SHA256
06e6f12ebf2d7612d2974b7a444a64c36b5c57bad4c55453ae80ec67188e607b

SHA512
9d12d50947ceed5b04f01da2eea803c8e54e495e408079b35d47631323b81fe24241be195d039af548f614a8371e9a2681daef92d3ba9eb40df5629213758334

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9b18c0ab97f3f63e3590928651867a12

SHA1
b0d72b53e43f739abe89c93a40aeb3a5457fe24e

SHA256
3c0132eb7e0e696f91dbf24c1dfe479118055994734c1da9833557eeec7682c0

SHA512
d7d572c534342f05beaf7c450c9ad5d3d64e81d71767a8805b81651d2981f0172dc67da9f4618eb46de8ea23a8a87cb8a7a213e5d048dbdf8a1c2ad3f73dc610

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b6bb4c72ebee0d474bad79d491cf3ea7

SHA1
3ab7a19ca4a07e88571c96fbc04773eee1bf1798

SHA256
5c8a20126ffe5e2bd98a7ce5e189a944a3ce81db5e0ef1cabb80ec19a934ccc2

SHA512
f781479a9a3255439eeaa9578f1eda18122c88875ffce01eeef9d6a273ddcf07936fbbfed080d185e78cc2d6b4726f71acfed9e26bd1f55fc30c70d639b59439

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
60dab549985085cc9b66126f5efb2f35

SHA1
4aa69081a7c8f55704aeb122e59345d8955276e5

SHA256
cb4e875c4e1ae65824230946d1c10f293d5b26dacdc25abc851dda4f8f6da5ed

SHA512
1afe6147de54c68a3166ecacd30a961307050cab883ea1f954918e311f4e267cc3755dda43a034c04ad6ba4058683a4803b13866dda703f17e9d49ed145ddb4d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8bd53bb5f232f406da7011ed4b94bee2

SHA1
0f3fc54033abde26030578c8e03c74c85651161a

SHA256
c3879d9979a892c61d45314bba25ac40bd1032777b23a40dd38914345b6eb1cf

SHA512
74a68eb0ac5ef106b2a23f898f6481f9c4209c1f34ab87ad73bf7d39f3ace9c48e2c6cb92909da24fb6154705b622df902c82847dceedd98e0dae3efb23dbcfc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0894087bae1ca667d68f48c03fc1c5ec

SHA1
81643abf3fe52645b87b3424c826b4109bf84f87

SHA256
49c7a5d38b5d0277b856b85a7154778fe39276771092df0b02ceb662dac275bd

SHA512
cd667bb49e2e796cf114f5bc871e13235641e23cbea7605367a9564eb83514a560040b60e48dfcc0a027fe231797d6dce0658d7ec6de1fb0e10cac3064d9569e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
d5e9590f0c1824e0a828035bf730eab7

SHA1
26057b7177713a988dd0873537c90b89aedf2a45

SHA256
9bfc4dfddf9f24f0301891fb3af23da08f645e71511e4d854f349e26104020c5

SHA512
272c5e1def8c8403fc18f171c5d3591cbda791e66fce38035f14b512ca949d579b2929d4168e1af8eb1ff0325f92cdef17b1ec61763cf0edc4f8df87a67fcb6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
51b1489c91f65147a48f0312fd859065

SHA1
350abc7565789543fedb1193a151311c4f6d0940

SHA256
9adf858be63c02a04e5906ea36fd358fa921bce0f9117bb27fcdbce3b9d972df

SHA512
3bdd046b209ebd0e03de53754e21060e0c716707bfabf57db1f1468655ede1240e35bf18da2ed50443364d56015a863d5b08d3aa847a3ec7699e771f5663913c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e0122ed63a3d5dd2243cfa0e947a42dd

SHA1
34e215a8d8d5d9cfcf25284e71a0b9cc052db09e

SHA256
be8f6e4ad21086ef12c9937ab3910f82537bd5d750e21ce1b1c9e7dd069b535f

SHA512
b2f18a1f28d0ea4f2847ece6121b16b140eef121d3e2a85fa345c08ca25e97747cb180cb40b79f3aad10c14acf30b70ee654d5ce0b69c1e3ba58508424658833

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b608a30f24ffdd867cd6feffdafb2b33

SHA1
97e9ba469b286072111916b814ce90a9560848c1

SHA256
9b2f8eb48bc15a91cbd8a8a22c9f03e695e880bc904e5c042a5cb959048150da

SHA512
2688d46aeab27da49d1982d210984c6af3d710fa7623391390e76258482cea2b339ce22f5a33afa7f18960fe2a5b9df576ba2c4b813b11d75e41582da9f2a256

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
989f9bc01c762b55ea973cd7f5dd0793

SHA1
bd39c3c068f68f1a60faae69394391df20c58cae

SHA256
60f437947cf10779f67e53551f9f5450b2971f2cea92c57fa6ad3ac365ff6d11

SHA512
9ff2bf496a5f85c302706ff0797e47377d53913b15b5d88ccde032b947b841a3bbd149d17d44991ee7aa6ce31fbbddd0fc70e81bdf66adac34b987755aa3af5f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d4f500166770d56d7af654368e9cfd88

SHA1
6652be536c6e65d6e20be0fb0b464cb4e71832f8

SHA256
cdb03345d0d92642894559fc7feffbae35097f6ca5b737be972be32a777aa43a

SHA512
2f82fc9e770ecd2c0bf1282070660f6bf8b145cc7e65f945e41ad2d0ad2db7fa4706c7381c6fa34ef384cf11403b62388b22a0d4d2a16eac2ed5f5f24f8508a4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
39ad4a26aaa505f8f18deffeeb273e4d

SHA1
5954976ccabc194e750a745c60df7aea0a5962d5

SHA256
d0a16ef05678ea57565293b83048c04e1703839bad5ee686e5eb81652e26264e

SHA512
39eb0233abd6711e6c87ae830fe67a43e74f06e367df07421364633125531604570f93f6f85ed1e12bdac3b7bad801a165021898cbbf44a3c369935428b2df41

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
249b05959a3484f2311035706ff0b62a

SHA1
249201cd6db186a9e26a33955077f368c3100e95

SHA256
5cb3f574b2da2579d46721607ad829d6f7f4793a7669618694825ddf3d8395f6

SHA512
270939200433eb64690fbc5cb448ccb9eed3a749016a763a4dda46fd499cce329195478c09a9289a3753d0278ba42c7a4717916b5e5295ccb0839d72eac36159

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
c4ef7e5dffecdbdad6911390d63ec39a

SHA1
7961d36a958d2c07c2f556a8e7f011bdc1c2b2b9

SHA256
d5854abc8c2af9ecfa36bde94e933b2cc512bae910d0a133a14ceccf1c93a5fb

SHA512
3afa28cb523a22d255046824285e36fa80d4fcd4062aff15e3bd5997e335fa717ab7d91451f6dd7306acd7dedc2696a614bbc736fef3d80a82b00cf36452ce2f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
23e1b306981fedc489cb3934abf3d1c0

SHA1
596a527489d15aee311842ac8e2bd18631f0de3d

SHA256
67532a917cb9fd2d774c0a42ab2ae3b8539d447070cff58db6c468a2b63032f7

SHA512
d1f4e868751f9a008b97fb2858a50ce8833779680c7e4004ba9c9f43f4a57713336cfdd122d343c8389ca74f6efaaec31fb3738a4b8f0c3716ffa8a2642f3ace

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
acc20e0c6872eb38a2ea21c4281af7e0

SHA1
2f57c35b36b27c1f87258ad62dc6dea87fc12af8

SHA256
3a6c5f11fcd5c17a44b6090ba49a90b6a43996c30ed85a388abced2b2ef84972

SHA512
f584f216cb3eb10745258a29fe92d6a73e4f9422ecd312442803945bdfc563ee998160a733805011c88603e74e8c0163d721e6154b831840988efed68271c170

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
4d05dd67b54ac00a9d667c3b792deed6

SHA1
20003f32e78f85bdafd836d1780e124db124e6c5

SHA256
43a1840dc0b1f19213f1074983538b1f1a1355eb36e6f033d12263b0fd46b4bd

SHA512
a5dcd8eabb4baaa267064e57899554494939193840016827e094602b6bef51ea492c9ae8809ba89b826cbc218587b0d3cc9f27b30a69b4c6497ce76910d19eb1

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e2457dd19c07a577a13a797d887a80fb

SHA1
8baa8ac86406eca55604dd776d48f94b638e4c8f

SHA256
cebc16e024539485a0cf915f9371435655eda20ae8aa3938e7809ba95179503e

SHA512
b051af9e5b902d73957faee488ff25a07dd87c11012e0ce59837c7ac8137c4e3b8adb8e3c8ee359e07c912e99626391b80839ac8bddabdbcd10b8b55ed8727da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
7e15518ad88d2545df02b7881e023a9a

SHA1
294348e1f7ff653b353f8770ccabb43e60e9f33a

SHA256
8ee86b6c19b9d73c850eb8f2ce9a157cfe6f75a48e8c89100bf2b0cf07fccc02

SHA512
c49c4e5b2c0335cbc331182f0b3fc1a9476a506d1704f52d5817da784081c6d73ae65f6c69b417b1028f468475ba8538c3149c87e07e2c7550d2ea809b8bc91f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3613f9a0789c5c8b514c95ef5f4437cc

SHA1
3c0f27bf5cb3bf11f64e7e1fd1d575604706724d

SHA256
10eecd93a44eb6ac6e5bf06f8c586022e952154eabbcf614d9df97d25df1712b

SHA512
a5f6beaa6b0c7e2c11aad3e05ff3ad2045d551b76f5ab5317fc688c842008d3d137414bd2444381ddb8e9d9024810b274888d331c6d216a08e3fc874b174ef19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
aed49a8b096c4e5a4764a2c380dfa002

SHA1
e9370e4d54c51b4760a58abae9b91a29aced376b

SHA256
51b765457237fe66558bdfcb438b7c621db807c341523930706246cf872375d8

SHA512
9226b068430b25dcedaf2ea1cc26d2edf49a6964d881b877a9cd78ae97c2cc0d047e9660281e75bff6ce36924a23cd502d2c80deaddd6b704a501571322dd185

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
436f6614ea5d790179a14416a5858cc6

SHA1
ee83c443308db4f4d236146f38a4067613c48363

SHA256
bcdb8d1887d1025cc4b663955aaf088c22bb6dbcf506ca244caa46b799282798

SHA512
3b0556f99c73a2d55a8bd56812285a1d948acc9c7141a0a4aec83296decaf8f0adb02d8df1c429d0bb27077c38e3e2896ab17f5bd48966ad064d0b646a955fb7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0b84061010ecb39cb4ae7b4b1af47c0f

SHA1
44ef39cfb131c7c99bbc364f1aeb0dee4c222f65

SHA256
c5bd2f2e7466a5018a1f4098e16599a5131879756fd3c9ceaf1d178d13c781f4

SHA512
2cf7aea2d0dba91aedca3f1686a0cbb3573e35ff6eb80cdc37cf90dbc63ba8e4f7a389d3e9ab376ea28603f0b193d99e169ea4f09e434fe6140307b05140e7ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
a0a72897089935005559b703a7af46e8

SHA1
f9cb2d7ba41653a6437f1c440fc3c654d02a755e

SHA256
d4246118e1c2dfacf4cf1bb9555a678aa1e68d9424d5a7a143fb4bcc4a28d755

SHA512
787fa059635151bc35b0ed8c0b44b799f82d63c7a0ee3407f3c70bae0ac76ff2972e253a3c74df67437670b503a926a770de3dc461694ea1bbdcd950979a5cea

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
db15d57e00976880f51bfea20d26e2ef

SHA1
3f99cccd8295cb8521afcca40db9cda04d0a522c

SHA256
8153a869d4775885a1339a0b23e00ae30054f0d550503c7460c5bd8b5ae39427

SHA512
4bf2bbe628bd0923542376c7a0df1104c4e91210f5781ec866c5c7fe8e19e4d35db91e4da114f2c44de89555751ce8ab21d805da08de9dde1eb63d86e1d5425a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
d7b55cb4081eead9741021e48e2383f6

SHA1
0013184d69372daf7d1aa3182f425321d727cd0f

SHA256
be498c6a6167917b0870b73e525a42fcd8d3aba2101ae45793bdfd34cb7887f8

SHA512
74812a2d366840e29de46287e5b7cbe676a1e462af1d3d0f0730584bf0c733f39d45e81df87140fa5df21b2b8b735b7d40607050266ce30e6653eb54b4b11de9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c4bac2a791bc77905b572831bb4ce108

SHA1
f4f703c7d7daffc98bfb334152754da5f9e38d00

SHA256
bc4b5a22ce3aaa08d2802e7bad60cba29bd0855ee22c9e239fb7c2f42d765f1c

SHA512
4f13aece8f4626d7b0de18ddf934cce1ac9360213c4c85fc04dd4976875c1799fe807aab28c7d63a8613fe2038431e13fb835d678fc4253be7dd355706d2b209

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
81dc2d7f35a9f1933d93b34b6314e87b

SHA1
4ce72029eb260bf4edd6d169e279da631937e7e2

SHA256
0ec1deab5b507cc4684f8d81001c02fca88f9ef02ea1863d9b68ffc748a5d93a

SHA512
4fa87d74329724f6cf87cbea4603bab51356d650cdab0314893270e503b8b2a1a5f8a59132bbbcd92dd84bb28484914860e31879e6cb4d12356760ef4b3d5858

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
b1bf8078dc38602c520fc4b2931b9891

SHA1
89618babeab28dd5c0d8afd8e557995128c7c1a3

SHA256
4d8526ae1c416c9319290bd68987f87b41c4951a33f164194b1cd2d19e4223b0

SHA512
bd65fd3d1a5b059d95c1afbdfab72b1ab60ecfd4dce310fe42be51fa85306b951dbb555556ab305ccef553df8622b3f0c3745ed5745589ca1643cec9f2e02e98

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
d1ae420529351a525b261860fb26a8f0

SHA1
264145ef60a9df5ec464d6240084e98a17f14bba

SHA256
8ab48e6b0c8f73e0e91eebf8ef782eddde4ff1affef52f841a3ebc97556e49db

SHA512
292eeb452c2065b3360a8ab6b0690a3462c917f858e75436872fdb29a66932f6909e172eab3339c785b5688ef7d8e5fcd2f88ed2eb379749b27821679005c440

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7cf0c724365f8af58faca2cd2ef54f8b

SHA1
9a50f0d63d71969210cd632e7bce83838fb57a1e

SHA256
b1ad30265a4fc307076b476a07b1ebfd8a78833fadf0fa1c1f8e9e0613ea38a3

SHA512
ad29b91515e0f0df5c915f71bd451f7c1fe9a23f8eef49aee7cf612ab3998de7ab9ec7cffa8fd7aa7de2b8672ea905a97097bc3f61449445e3745686bd2ff6f2

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
8abcbd3c5f02d5e2f82e5ad10c7ddcf5

SHA1
07590cb2b32de6d024142033dc85085711b62cca

SHA256
d214ba76cdb7038ec00faf5ab4118f63bf02df6eb1c57952fdb88a6c3e10cb85

SHA512
6a184f2daaa65c342545a35e22dc098e06d47173f1ee70bdd9f8089267dd0f3c880de70f252b89104aa044772ad5623998142816980ccddb3b84b31c7aa25d0f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
94ee485879bfe8c536cb231f3b55b5a9

SHA1
bf07220be1dd8ba0bd9c61ca402714b9f5092d1b

SHA256
49740073ba700933cd04dc6871f8db59976e2411693b956fd3bf75040251f6d6

SHA512
be01c68efa61cff90cb4235a2fa55138dcabb3770f3b6340439a8707bba3a0d707010ee4b84430e309c9fc632dc76e346ef7da0e8662b9b5a35c2f41d7cd0b83

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d40b547ccdd529741589b1b585e14513

SHA1
ee51b0af8234209e38529559bf27e49f9fa3b4ce

SHA256
d37c280b084eb716166309fef01a45bd059dfaf7b2b3a473cfc9fef8db7713a5

SHA512
d59ca1f1a981e99437e4af7e9cf11a335ee0fb048bb68df6e89a849f46e05380c5e87d93a54bdbc6898ac5e5196014df8d7df2b874d511f8339ed55989b11bff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
ecac846b26b2d323fb15c806fedccfe6

SHA1
24e4ca59664b3f4c29641c33e2d1b8fe6c9a6a5a

SHA256
a55aa686938aa35bf04667c5196b9ef69e03891aa34c63d67a0f37ec612a5053

SHA512
bae21433542dd70099d7106f006d76fb2851e511f334ae48fd7855517cc14fa0dadd396a868c1acb6c83a28c193acab8c7f4e7d1c1d91aa564e3ff5db35fc20a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a439f5acf70e58f6c6e26a875c6316d5

SHA1
5c42bf60de8e2e36be597aec5ff05e5777f76a9a

SHA256
8cf5340ba8f93ec047008a567b371ac50ab31bb6766cb8e2f7f297d7f4b4fa6d

SHA512
e466ed419d4f35d8229bf1c565ffd9d599a82ef41d0504c949bb5ba262e29cd26b77054b8e8b90f8e3518afc1a749eff9edcdc12bfd06ee0f59ad9fabebb7009

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
3301a6d1d89d3fedabfbb965b76a245a

SHA1
39face29680563825e8c2af3b2102cbc52542342

SHA256
2c78c42b1b97cc77f3eadaebc8366716ae73de2ae1954044d40b3394914f029e

SHA512
528884612244d0e7798acc05489d22da1fb480c7158de7ed427db74ae519fe2356af7781507f1921a6deee519ac2d3e9744e633e5df8319fa4a9b3b307853e45

Download Submit
C:\Windows\Temp\Cab6825.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar6895.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
759KB

MD5
37c49cf471f7ad881127f9e38bed1a10

SHA1
473c3a7a28d138ccfff0d971a1ce9360ab990aba

SHA256
9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369

SHA512
e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\59ca330987b1f75aa98e599763ad7546\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
fa9838ced8755df2e7e431e7bf6f6a54

SHA1
3e478d77eede971fbfbc259a2f9b0b262d0dd023

SHA256
d841b9cc764406a54e404a657eec52a796b7bb31885bbb0a4cab0cd638f4dc50

SHA512
15c7bb83bb983ce00df602b435895145f824a7166766d0dfb2c997913dc149f637a2d3f2683431a6cff7d0a8119ca263fe87779616a2b00a77a95e02b1266796

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\7368efd9a9cf52e54fd65fa9ba963060\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
43031a6f39ab3fcda2d91f16404d7bb2

SHA1
2a6807fcef1a188cfe1114fb552f199cff35f6c2

SHA256
cf15a970fbb3f791c5c3b53e629c06de6b38e5469e959e40034a37811216ceda

SHA512
158befa21a08bf231b871b4f71aa5be943b7526457d99bc3550ddd923557799b018a7b094ab3c48258c693b9b83d36b863d315756e62b57bd28803b50aca27ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a441c402c6370ea20af69f16ca1d35b4\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
ebdd2ace55a78699c23a6e0c9fac3440

SHA1
8b5e390ffabae7f324b4af90328d025509a6d0be

SHA256
e234274bf39f0bdccd4f8062a348a23ebe3534f8f2ab436294091192e845a43c

SHA512
85af4a721946630a92327f305ebc79c7e1b2112e6286c928c498fc80269d787b505f76acb3193f041c1c9fa0b0ddd60d30e078ac0f1ddad0196223a980a20e01

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
220KB

MD5
5c35887a0b76108f6fb6daac51256ef5

SHA1
3be6ece2f60d205bcb955a5da0aa182d83cc1899

SHA256
9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a

SHA512
0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d03c9d6db4be303d3a66cef1b1aa5d53\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
371041cfade6d1f0a191dea25b49c759

SHA1
633023526012a0d7698393dcd4a2bde5f738a3be

SHA256
da8cd71e93e58c074a66d6a2b9e7093cd4926f5ea592fa1ec098755b11e52b35

SHA512
379e3fffa69aed4857f9eb00b8d5787d72ccd24aafba4326e35ff78d1d811e781c9c4d629e6ac7de2181a982596ca8f9df46b61e43352e75c7f546e0dbc0ff1c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
35f397647e7a724a57ed3777dc37623d

SHA1
19e3db3e2f83a189bedebf1aa57bc7fe6da6b8dc

SHA256
b8721b1476ab10b36186a1ed840e9954679d7bdcc9c77b5e8cb051e5459c2f63

SHA512
9cce955480334f9cf60d03d89d78fed0841709fa623c57e0e88cfdac5deee327e773920be40d97ec6b9cd148feb18632dd944ec53ae2a451d3bad1d52f82cadf

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f365e57f58a1eec509d721f1ecc7606d

SHA1
386b07438253278754cc94d7285cfee7ab508da7

SHA256
f7de23f20d37f5e7024b04cdaa75f8155bd36275cfa00ccc5860dc69e58c9e12

SHA512
147fb8febabbd57f7b0da05492060d24a5f6c9cb5c8171b50268f8cf4e3f316068794e0847e130753941762eea4fbfcbd99418e0b18b7d9cdb35981444dedb7b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
b750711d9b2cd6da32a78e8622075cf0

SHA1
5f37dfd205fe21c6bf8d6ec9554e1181e5e78a6e

SHA256
bfa571d7a213ff6100ab7fd2d2f2ac74cabc746a281db93a1b998632cf0ac467

SHA512
bcc4294ff4581927ebafbcd20c9e158771a4a1fba424976cb2ea5331c07eb2818d9af96469c741749b5facca08785b2e4b1d24217107d28fe670ac0ea8feb326

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
f5e3293448d12c32d7a9598c45cf6f78

SHA1
69990f5cca47b7e2c2ef0aa1ef01ab472754ef27

SHA256
1c95a2715751f8b72901104e4225f9d354e1b434fba8852ab2e4d42f69351b90

SHA512
8f81d32a974050782dad5789989b0cf0ef0db43a84715f10fbb524747a55707d9b5553014319ee55a16692ea664a8e163a70eebcfb4b940c1aad32d88d6e89dd

Download Submit
memory/288-234-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/288-505-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/340-289-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/340-182-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/444-262-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/444-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/484-721-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/716-685-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/716-696-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1064-114-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1064-120-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1064-934-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1064-233-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1064-113-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1076-1029-0x00000000019C0000-0x00000000019CE000-memory.dmp

Filesize
56KB

Download
memory/1076-1028-0x0000000001990000-0x00000000019A8000-memory.dmp

Filesize
96KB

Download
memory/1076-1030-0x000000001AD60000-0x000000001AD7A000-memory.dmp

Filesize
104KB

Download
memory/1120-623-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1120-600-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1156-786-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/1304-292-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1304-626-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1424-290-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1424-597-0x0000000100000000-0x0000000100253000-memory.dmp

Filesize
2.3MB

Download
memory/1444-672-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1444-659-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1704-267-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1704-579-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1716-160-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1716-270-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1716-925-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1728-231-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1728-447-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1916-334-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1916-683-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/1964-104-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1964-102-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1964-96-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1964-222-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1996-1009-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/1996-1004-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/1996-1007-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/1996-1006-0x0000000001A60000-0x0000000001AA8000-memory.dmp

Filesize
288KB

Download
memory/1996-1005-0x00000000018A0000-0x00000000018AC000-memory.dmp

Filesize
48KB

Download
memory/1996-1010-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2072-648-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2072-634-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2168-991-0x000000001ACF0000-0x000000001AD38000-memory.dmp

Filesize
288KB

Download
memory/2168-992-0x0000000001900000-0x0000000001916000-memory.dmp

Filesize
88KB

Download
memory/2168-989-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/2168-990-0x00000000018C0000-0x00000000018CC000-memory.dmp

Filesize
48KB

Download
memory/2244-660-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2244-643-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2244-708-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2244-686-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2256-303-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2256-642-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2312-187-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2312-307-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2356-254-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2356-569-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2368-90-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2368-47-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2368-40-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2368-39-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2412-139-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2412-27-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2412-28-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2412-36-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2444-184-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2444-198-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2444-684-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2444-668-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2512-550-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/2512-8-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2512-75-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/2512-0-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/2512-1-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/2580-76-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2580-82-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/2580-77-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/2580-213-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2664-711-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2664-705-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2680-612-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2680-580-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2712-63-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2712-86-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2712-54-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2712-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2756-729-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2756-740-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2800-661-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2800-331-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2864-95-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2864-13-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2864-22-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2864-19-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2900-245-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2900-135-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2900-887-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2940-333-0x0000000000670000-0x0000000000861000-memory.dmp

Filesize
1.9MB

Download
memory/2940-320-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2940-216-0x0000000000670000-0x0000000000861000-memory.dmp

Filesize
1.9MB

Download
memory/2940-205-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2992-658-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download
memory/2992-314-0x0000000100000000-0x0000000100203000-memory.dmp

Filesize
2.0MB

Download