230c818861ff859433ed8a58d929563db056768f8ce3de2bf92d275f62d828a3

Analysis

max time kernel
119s
max time network
112s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c53c179b3b1d9c380dc767e08a4ead40N.exe
Size

1.5MB
MD5

c53c179b3b1d9c380dc767e08a4ead40
SHA1

9755059ee752631fadc4423a82f722d4bbb6b609
SHA256

230c818861ff859433ed8a58d929563db056768f8ce3de2bf92d275f62d828a3
SHA512

2f92df28c57710a623e7d1b7da1c3efcbca7ea17f7dbe7bcd854448bac45b3bab57e8307a8e2315fbce60fec04b0b43de527072832c7f01071fb09bb356a842f
SSDEEP

24576:yz2DWl8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:kgDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2920	alg.exe
2816	aspnet_state.exe
2640	mscorsvw.exe
2560	mscorsvw.exe
1168	mscorsvw.exe
2176	mscorsvw.exe
1816	ehRecvr.exe
2396	ehsched.exe
964	elevation_service.exe
1984	IEEtwCollector.exe
1920	GROOVE.EXE
2032	maintenanceservice.exe
2908	msdtc.exe
2628	msiexec.exe
2684	OSE.EXE
1600	perfhost.exe
2640	locator.exe
2484	snmptrap.exe
2236	vds.exe
2280	vssvc.exe
2284	wbengine.exe
764	WmiApSrv.exe
1852	wmpnetwk.exe
2476	SearchIndexer.exe
2268	mscorsvw.exe
544	mscorsvw.exe
1684	mscorsvw.exe
2080	mscorsvw.exe
3024	mscorsvw.exe
1712	mscorsvw.exe
2012	mscorsvw.exe
2252	mscorsvw.exe
1924	mscorsvw.exe
2796	mscorsvw.exe
2080	mscorsvw.exe
2268	mscorsvw.exe
1512	mscorsvw.exe
2144	mscorsvw.exe
2604	mscorsvw.exe
2896	mscorsvw.exe
1512	mscorsvw.exe
2252	mscorsvw.exe
2720	mscorsvw.exe
2976	mscorsvw.exe
3032	mscorsvw.exe
2252	mscorsvw.exe
2720	mscorsvw.exe
1704	mscorsvw.exe
2420	mscorsvw.exe
2796	mscorsvw.exe
1312	mscorsvw.exe
2868	mscorsvw.exe
1752	mscorsvw.exe
2880	mscorsvw.exe
2748	mscorsvw.exe
2608	mscorsvw.exe
2380	mscorsvw.exe
3040	mscorsvw.exe
2724	mscorsvw.exe
2364	mscorsvw.exe
2100	mscorsvw.exe
2836	mscorsvw.exe
984	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2628	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
740	Process not Found
2880	mscorsvw.exe
2880	mscorsvw.exe
2608	mscorsvw.exe
2608	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2364	mscorsvw.exe
2364	mscorsvw.exe
2836	mscorsvw.exe
2836	mscorsvw.exe
2080	mscorsvw.exe
2080	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
2620	mscorsvw.exe
2620	mscorsvw.exe
852	mscorsvw.exe
852	mscorsvw.exe
2812	mscorsvw.exe
2812	mscorsvw.exe
3028	mscorsvw.exe
3028	mscorsvw.exe
1864	mscorsvw.exe
1864	mscorsvw.exe
1892	mscorsvw.exe
1892	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
1344	mscorsvw.exe
1344	mscorsvw.exe
1640	mscorsvw.exe
1640	mscorsvw.exe
2380	mscorsvw.exe
2380	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
484	mscorsvw.exe
484	mscorsvw.exe
2672	mscorsvw.exe
2672	mscorsvw.exe
2276	mscorsvw.exe
2276	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
2964	mscorsvw.exe
2964	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\System32\vds.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e302a3d3cbd72a55.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\alg.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\locator.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	aspnet_state.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC64C.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA88F.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC2C3.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC800.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index163.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP77A0.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP75AD.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c53c179b3b1d9c380dc767e08a4ead40N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7243.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBC1E.tmp\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBF97.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mstsc.exe,-4001 = "Use your computer to connect to a computer that is located elsewhere and run programs or access files."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{F78D244F-2107-4520-B339-386C144F3AE1}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2248	ehRec.exe
2816	aspnet_state.exe
2816	aspnet_state.exe
2816	aspnet_state.exe
2816	aspnet_state.exe
2816	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2340	c53c179b3b1d9c380dc767e08a4ead40N.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: 33	2620	EhTray.exe
Token: SeIncBasePriorityPrivilege	2620	EhTray.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeSecurityPrivilege	2628	msiexec.exe
Token: SeDebugPrivilege	2248	ehRec.exe
Token: 33	2620	EhTray.exe
Token: SeIncBasePriorityPrivilege	2620	EhTray.exe
Token: SeBackupPrivilege	2280	vssvc.exe
Token: SeRestorePrivilege	2280	vssvc.exe
Token: SeAuditPrivilege	2280	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: 33	1852	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	1852	wmpnetwk.exe
Token: SeManageVolumePrivilege	2476	SearchIndexer.exe
Token: 33	2476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2476	SearchIndexer.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeDebugPrivilege	2816	aspnet_state.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe
Token: SeShutdownPrivilege	2176	mscorsvw.exe
Token: SeShutdownPrivilege	1168	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2620	EhTray.exe
2620	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2620	EhTray.exe
2620	EhTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe
2480	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2480	2476	SearchIndexer.exe	56
PID 2476 wrote to memory of 2480	2476	SearchIndexer.exe	56
PID 2476 wrote to memory of 2480	2476	SearchIndexer.exe	56
PID 2476 wrote to memory of 1748	2476	SearchIndexer.exe	57
PID 2476 wrote to memory of 1748	2476	SearchIndexer.exe	57
PID 2476 wrote to memory of 1748	2476	SearchIndexer.exe	57
PID 2176 wrote to memory of 2268	2176	mscorsvw.exe	69
PID 2176 wrote to memory of 2268	2176	mscorsvw.exe	69
PID 2176 wrote to memory of 2268	2176	mscorsvw.exe	69
PID 2176 wrote to memory of 544	2176	mscorsvw.exe	59
PID 2176 wrote to memory of 544	2176	mscorsvw.exe	59
PID 2176 wrote to memory of 544	2176	mscorsvw.exe	59
PID 1168 wrote to memory of 1684	1168	mscorsvw.exe	60
PID 1168 wrote to memory of 1684	1168	mscorsvw.exe	60
PID 1168 wrote to memory of 1684	1168	mscorsvw.exe	60
PID 1168 wrote to memory of 1684	1168	mscorsvw.exe	60
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 3024	1168	mscorsvw.exe	62
PID 1168 wrote to memory of 3024	1168	mscorsvw.exe	62
PID 1168 wrote to memory of 3024	1168	mscorsvw.exe	62
PID 1168 wrote to memory of 3024	1168	mscorsvw.exe	62
PID 1168 wrote to memory of 1712	1168	mscorsvw.exe	63
PID 1168 wrote to memory of 1712	1168	mscorsvw.exe	63
PID 1168 wrote to memory of 1712	1168	mscorsvw.exe	63
PID 1168 wrote to memory of 1712	1168	mscorsvw.exe	63
PID 1168 wrote to memory of 2012	1168	mscorsvw.exe	64
PID 1168 wrote to memory of 2012	1168	mscorsvw.exe	64
PID 1168 wrote to memory of 2012	1168	mscorsvw.exe	64
PID 1168 wrote to memory of 2012	1168	mscorsvw.exe	64
PID 1168 wrote to memory of 2252	1168	mscorsvw.exe	75
PID 1168 wrote to memory of 2252	1168	mscorsvw.exe	75
PID 1168 wrote to memory of 2252	1168	mscorsvw.exe	75
PID 1168 wrote to memory of 2252	1168	mscorsvw.exe	75
PID 1168 wrote to memory of 1924	1168	mscorsvw.exe	66
PID 1168 wrote to memory of 1924	1168	mscorsvw.exe	66
PID 1168 wrote to memory of 1924	1168	mscorsvw.exe	66
PID 1168 wrote to memory of 1924	1168	mscorsvw.exe	66
PID 1168 wrote to memory of 2796	1168	mscorsvw.exe	67
PID 1168 wrote to memory of 2796	1168	mscorsvw.exe	67
PID 1168 wrote to memory of 2796	1168	mscorsvw.exe	67
PID 1168 wrote to memory of 2796	1168	mscorsvw.exe	67
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2080	1168	mscorsvw.exe	68
PID 1168 wrote to memory of 2268	1168	mscorsvw.exe	69
PID 1168 wrote to memory of 2268	1168	mscorsvw.exe	69
PID 1168 wrote to memory of 2268	1168	mscorsvw.exe	69
PID 1168 wrote to memory of 2268	1168	mscorsvw.exe	69
PID 1168 wrote to memory of 1512	1168	mscorsvw.exe	74
PID 1168 wrote to memory of 1512	1168	mscorsvw.exe	74
PID 1168 wrote to memory of 1512	1168	mscorsvw.exe	74
PID 1168 wrote to memory of 1512	1168	mscorsvw.exe	74
PID 1168 wrote to memory of 2144	1168	mscorsvw.exe	71
PID 1168 wrote to memory of 2144	1168	mscorsvw.exe	71
PID 1168 wrote to memory of 2144	1168	mscorsvw.exe	71
PID 1168 wrote to memory of 2144	1168	mscorsvw.exe	71
PID 1168 wrote to memory of 2604	1168	mscorsvw.exe	72
PID 1168 wrote to memory of 2604	1168	mscorsvw.exe	72
PID 1168 wrote to memory of 2604	1168	mscorsvw.exe	72
PID 1168 wrote to memory of 2604	1168	mscorsvw.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c53c179b3b1d9c380dc767e08a4ead40N.exe
"C:\Users\Admin\AppData\Local\Temp\c53c179b3b1d9c380dc767e08a4ead40N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 268 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1e8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 1e8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1e8 -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1e0 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 28c -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 278 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 204 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 258 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 258 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e0 -NGENProcess 27c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 27c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 28c -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 258 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 27c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 27c -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 298 -NGENProcess 258 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 258 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 290 -NGENProcess 27c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 258 -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 260 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b8 -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 290 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 29c -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a0 -NGENProcess 29c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2dc -NGENProcess 29c -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 29c -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2a0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2b0 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2a0 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 308 -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2d4 -NGENProcess 2a0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 310 -NGENProcess 2cc -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2f8 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 31c -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 2dc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2d4 -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2b0 -NGENProcess 324 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 334 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2d4 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 324 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 358 -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 2dc -NGENProcess 324 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 35c -NGENProcess 2d4 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 324 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2d4 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 2d4 -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 370 -NGENProcess 340 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 370 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 370 -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 358 -NGENProcess 364 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 384 -NGENProcess 378 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 378 -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 388 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 390 -NGENProcess 358 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 358 -NGENProcess 384 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 37c -NGENProcess 394 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 388 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 374 -NGENProcess 39c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 394 -NGENProcess 37c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 3a8 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 358 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3b4 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 390 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 37c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a8 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 390 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 37c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3a8 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 390 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3d8 -NGENProcess 374 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3d0 -NGENProcess 3e0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 37c -NGENProcess 374 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3e4 -NGENProcess 3d8 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3d0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3ec -NGENProcess 374 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 374 -NGENProcess 3e4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3f4 -NGENProcess 3d0 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3d0 -NGENProcess 3ec -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3d0 -NGENProcess 3f4 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 374 -NGENProcess 3ec -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 3ec -NGENProcess 3fc -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 40c -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 408 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3fc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3f4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 408 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 41c -NGENProcess 418 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3ec -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 428 -NGENProcess 414 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 418 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 408 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 414 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 418 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 408 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 414 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 418 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 408 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 414 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 418 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 454 -NGENProcess 408 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 408 -NGENProcess 44c -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 45c -NGENProcess 418 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 418 -NGENProcess 454 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 464 -NGENProcess 44c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 44c -NGENProcess 460 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 440 -NGENProcess 468 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 470 -NGENProcess 418 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 460 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 440 -NGENProcess 47c -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 45c -NGENProcess 460 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 478 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 484 -NGENProcess 47c -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 45c -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 468 -NGENProcess 47c -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 484 -NGENProcess 494 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:1312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 418 -NGENProcess 47c -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 47c -NGENProcess 490 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 49c -NGENProcess 494 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 49c -NGENProcess 490 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 490 -NGENProcess 49c -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 49c -NGENProcess 4a4 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4b0 -NGENProcess 478 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4ac -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 4a4 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4a4 -NGENProcess 49c -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 49c -NGENProcess 4b0 -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4c4 -NGENProcess 4b4 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4b4 -NGENProcess 490 -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 478 -NGENProcess 4c8 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 4d0 -NGENProcess 49c -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 478 -NGENProcess 490 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 4dc -NGENProcess 4d4 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 45c -NGENProcess 4a4 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 4a4 -NGENProcess 478 -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 4e4 -NGENProcess 4d4 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4e0 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 478 -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4ec -NGENProcess 4e8 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4e8 -NGENProcess 4f4 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 45c -NGENProcess 4b0 -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 45c -NGENProcess 4e8 -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4a4 -NGENProcess 504 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 478 -NGENProcess 4e8 -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 508 -NGENProcess 45c -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 504 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4e8 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 45c -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 504 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:2120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4e8 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 45c -Pipe 508 -Comment "NGen Worker Process"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 504 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4e8 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 45c -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 504 -Pipe 518 -Comment "NGen Worker Process"
  2⤵
  PID:852

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1816

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:764

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
8a8a9f95abfbbf66c9c8805876d58b38

SHA1
106cba942485288d4a1dee6e7ee9f44c529ec88b

SHA256
3a8630a44b93f475d2d9c978d19c5d784df9602fd91de8d252daba63ce759950

SHA512
3437f94db5cdff590b257e7e10533c8ff8c677bdce46b1e533a61d46a1e3d93aee9ba0f669f7b23d9a0255da37c8c3a94ad1a7be70482380c389fa0a18ff1544

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
be415582b2052cea3d6ce32ce7fd9118

SHA1
7c2fe874b0a5d46f07f32f2ab6b11007dda459d8

SHA256
e919417951535db33039a060e9f774fc667173c782cea916e0cfb01d24f19097

SHA512
c8d4af98c3584445fd73322c1f645b64299549b4c124fc6a22889abaa291fb1673ece44d947c41d9d568ecbb96dc365c875263418234c16750667a8a21a461b9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
418e14f4ef6721d7a978d88d43b5744d

SHA1
9a3e5ce2f7d42ee46e08109a502bdce998fd1ef9

SHA256
f38c59d83d62a47af00b9c7decd6a9dcc1eb45260b399a0b28efb37dbfce90cf

SHA512
c3e5151db19189a49abc6c897e46159143e9e93c0cb919794a771c6ec71081bd3416d5e232a278a76682b36b480218b39917f3e45b97b792b45e551efb648bee

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
f250d844dbdb8492c3309dd55fab050e

SHA1
0117031fc278ed35cfeafac91e688d907b3cfaf3

SHA256
b27086f0d37e2755a2be47f4378cc1f3ee768dd91f279931caaf7a5f8e6a23e9

SHA512
a93584e6c165044e797b9c3feff94f35b47e3a17df5cb11b63b997bbed15b820897eaaed2ee977ecfc8131717b3cc0c7ef0b01db4276db0fddd694fe60b7fea2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
205be65d3d3cdb9739c282ad9d2ca709

SHA1
c40794194dd309eb9d0bba0d8040cea6be1ea00f

SHA256
1cd02951996651b83acc1fe09449f2e8ed72060116572a872b39fddc44ba4cc3

SHA512
3d34b6cfc78009907d2cf1ad38d2625983bcf450b0e8d4db4a5d9e5ca8fcc9d82158bdfa1c09cd103976704e5fedb99bf6bef76d6ecc987ba94a7bb9082b277e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
34fdf3d350f310fd43f3aff95ad392c7

SHA1
5be1b837d96e08c597516c6a563a73eee73273b5

SHA256
a0572c41f1c9bc01d58efff520f567e7baebf9e13193cc49ad190f4d61173d43

SHA512
b2543dde3bc6ac658e2def0ca9cc7ae2d1ed51d1e7c817b9810d56cd55c93d12ad2eab0b22a8f9992ce52bfd59dd81c414b3aca0d1fe9ffe1725790463f04523

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
01068a4f4ba59e305a48a5046d750e22

SHA1
28e26963659358e6738786785f8b78a215900d3e

SHA256
6b186f2819d0558c6d35ba1a9eaa5be11a6d3c760cb32ac61d962e8c0ea5d42c

SHA512
52169ffe0aa79328690ad64b12af40ad2c313bd8419ef322e9f0a693e758427872924c571aef1928952b715ec261c06fc8370be9bdb26360fe03ca897e3d1f4d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e3b22859a9aae651b9eb6ea64edd4d05

SHA1
451119f776459bcc00405b33c93316a40ff7ebf1

SHA256
5c8435ed1af0d2ced519d8bf3f321d006a3d6cdd5d3dd94ad7377798bf771cf4

SHA512
0fd873b871c905653e5bc12e388f21f7797e1a40c7a410900c31982a0d75fced5599d75bf8a99f4b977dcb81231f2dc90efff852eb3d1e6a0383e3d397e7631c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7f733851f97dfefa8e3d4349a916bff1

SHA1
2bd10837fbe523a1e3f41137f50b0eb59ad26ce9

SHA256
f79cf31d63f6464b8e625cbbdf9a7dad2cd7afbe36fc03794947b1f5c2920759

SHA512
1c8616b58951dd8bf7c8b93b95cf5347eac6f41d373ad2fe902d728e43a739179d4f9ec4bcaf2a4ab41ba5f988b19a54b586e3fa081c2dc8cf76619312ca1498

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9cdddeb33c3a5671dc20218d05d799a5

SHA1
ba47a7e9db180b8ffca15a2667c59da0c0d714f7

SHA256
70f22d54fa251b9f78f57624bf6f1d59f6bf2acd7c2c1066b736a4ca3213d8f6

SHA512
5ae7fb703de3c9b5c685ad8f47e9adb25c22b6f75b6ab48fabc423d18c8e08730404700d7930d039e438bc735fd65ba24dcd797274b85120ce8373ee9ed727c7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
bb210180167551dc01ecc1d5b0adf5c5

SHA1
0934dca331974aec98ba0dd7054b3d7135274427

SHA256
3ade0338b7eab1d1fec7bc98ea2cb4437264d8e4ccb0eb40ae814774deda929c

SHA512
866dee4389b9f560d5bd6c19a41556b2e5b3396f08b4965b6f824929a427ef50a272cae4dcf995c7c210d32cdddda5b97d8e4123411ad35f2a5e14d928334c5d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
59ebf9642b6e9f94465de0ccc87ebf0a

SHA1
ba8cf20d72b68dfa6e1725814d8eb93fc2162114

SHA256
451393469649a1407ce205291e2dcc89a7f7bf40c0c73bd6d36c42de62eb12b0

SHA512
9ac53f6559f752340a891d79e86f5713d1eb275d6e7f25182abab77b2cacc6870d7706a32f065d3f621672071b6297e56ff8489d916deb25614859ea70464ffb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5021fe6541b013800c7cd379806d3fa1

SHA1
6022cd4b3d0e11183b7aa88b83800347037f5c3a

SHA256
77f8aa432c81da428ff317bac3afb26bfbec3056c65e67c995618196c4c84d5d

SHA512
75d8ca5ccb349b5f9c411746155b7f4dd11b9380d152eab480de2bf9264b1ca19a5757c7923f01d77d371b659de1bb915c8263c7f26b15e55d43e4caf2249117

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
96d8e02b6c9800df582aa62719365a09

SHA1
a58d6c87094b22e92694a0fe190528efe25b449b

SHA256
9686276b6c5a1ce3cf791d3f0a893a732777badd85fdfd4320ffd08ee4c6970a

SHA512
da12f1af77922b6e72d787ccde5449faf9d3d6ac4f7a4d8df523e61090485f011fe2157029efd5ee2a3ac23879c8e80bf6c3bf644253ccadb0c579fa584a7f11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c4ef9987e359762829e83f2e199f8d6a

SHA1
c9877e133293f9d0a745be54130cc7610062749c

SHA256
2bb269ecee8f3a46b2a2050b69c3c1ba9d0dddb66c277ea4049836a6ce72304d

SHA512
43e3e0c0f73439cb1755be0b824a324cb99395b436a27d9f454f385840853fd1dd46b12be983db9e60bb3a3713656b7d02e9e31e60e898f99f018a97398fcfdb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
dea9bf568ee1710e78f15c3343134acf

SHA1
f8e6ee94ed9619b3dce275a68477fd935b79f29c

SHA256
445b61c8af4f33b3022774e9fd6cfcf2b63a79fbd7f7bd5ea9773cd5a9440124

SHA512
14310338990a3b6186efe0f3442f9f6c7b4f2b84f49f30bb5e35bc0671a3f9b869a318da877026d7c1dfd5d83f13c245df920e4e26492fef762c03c1d4571bb8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
4c54d69f71bb9f7792e033cb0f38b4c9

SHA1
ff5c96125f0daed0567aeb5092b556b0c2ecc21f

SHA256
68b7e0b9fe2c0aa2d05b4cf76a37ff3b7cc8a4d5f34bc02b8cc456f40d074d70

SHA512
8de2998e5e329816f6719f988b8af070fab5a623b4d35fbf6a82e602e9b589cbeec976ab77bc61f488a9f483aa050b14f3dd11f1fbd78f390eb341176bb5e42b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.4MB

MD5
a0388503ad5ec18feb489413c2c25a76

SHA1
0e0ff4591292c9570804ad4e3a7ae59bc42da93d

SHA256
684964dfa9526e8971781afb4c6ec1087ea7e1939b081379a3748377abeaca8e

SHA512
024b8f7df1739e69a594f6bc2369c92db01dbfd19340ed08aef7bf54d54ade18e0b3afc51ad3b539cd66428f2e4dfe734716ae949390c76293312b9886a5bfb9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.4MB

MD5
ae6200dbd069b2e9341064250baba428

SHA1
122950c5e1756891f9c20a1f0a07ae29bca2edd7

SHA256
0c276a12346d83806c88d293112f7619d3a03eece5fb063673999da70b3e509b

SHA512
992457bfb33d6697da324c5e69b5a2b75bd2f23b86ae6ad2401d6b4f7e42816a80b879aa4c8ad878828de36d09d32814f15a7798d7c66feb694439d3ee328868

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.4MB

MD5
dc5cb03089d5825621291e1b7b028689

SHA1
d1de264308f14f085231a0f4c647806f012e2d0e

SHA256
6ddc84f28811f71e297d6f056caf0d1672f6edf35eb5dbfe5f035025ef5c81f6

SHA512
8135f3fc7612f109b1c1e61ec4dc69e1a8a4f1ef439859aaf9cd80c271d6e8da2aba1121b53cab74df3f1b00f11ea9fafe7d5f1e54c4b098c7515ca0f8ebc7c4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.4MB

MD5
835505daef803d64ba7bd2f716652202

SHA1
581624756978cf650cba677569d55caf3a782303

SHA256
ddb50e002aafe7ae17fbdd5f9a167d8e6efab60ca0961d837b52e38dc67731f1

SHA512
c41a3491393489a40ae3ae09ad4b8435b38383ee8f4694a047edb21ebeddfe4fcde82f1209dec4baa6aebf2b031a6358096ca059cabe69b29ac4e406661d8aee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.5MB

MD5
133d9c45066df40909cd6f8fa3f58db0

SHA1
9fa5377312f2c75573f1415121fd93419b0b9805

SHA256
3f14510fe339c2c6b75af945191a93bba5a7a06b4365d2ca6092273018900489

SHA512
00524f70e4b6fbaea3732ee8dea0d6780f2ff93f4ff355d602b2ddbf02f4de3b97f1deb14bfbe1070bd5fdef0ba8537b86e463c7a8bd7b8e697de48d4c67769f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
485b5191b416f31e77bd45b66fe5bf78

SHA1
e242f41b746f78b2a941f1ecdbfc0be4c03580d4

SHA256
64b3de9ded5f1109ecc0b65e07bc6c0c1dd78d39da32611edd015e84d762d3f0

SHA512
cc1f82f5a8377bf8bca68b9e47564ae6ca6456d869601ce39b6039ab66d0b0a080e7a5ad59dcc9b4b2516804d9b9e274d24476a357b71b0bde8576a0a4f7b3e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d6463299064477d60f70ae29686b37a5

SHA1
0fd7512d670b75c187c09164dc748eab34380ac7

SHA256
7e494798cd2abbc9a9fbb413e0406066ba188d5a57158d309284de089d285798

SHA512
15da7a632e42a3bbb5133c8fb3e617c3db1256fdd17bf0b36f9829f8b55e389bc97547953abd77294842905d2ee9fd532baf56320dac31a17261d009af5621ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
a8294b25935ba1f3f8c66031c8c7cb6a

SHA1
02a8873563054f18d539013d0779d418b7f5e865

SHA256
da42106ce47554157537f4b4c499f2e71bcff42b36e4d54f58565159e823bbd9

SHA512
313b596a06c6a03b270dcf10ce15c29615ce9aa6e3e07374163ebf7cc9899e0cf01e517edc3f199929471f38f11307d5015c19fcb0589a24dba8bfc7e1495394

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
96beaba13a279c38e2e5e2665373d5b2

SHA1
ac7c52b94339f690d0165b0e2d7e77dd062c2004

SHA256
a771fe39f529b6c51dc020274700ba83b108fdbbbaa43dc2e7cc1e085262738d

SHA512
945f31a0b55a21b86f730723159d3447da938c49eb34ef46bff5a57a12951f13af92f6b0da6ab27d120900842178aa19c3de3a30cc70815eab327f01eadc8e7f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
8eb491ceda6f414fbb33d08afff657e9

SHA1
48b58dbd80b0c190cc1d90f34cd7944d2b582936

SHA256
e1a5f38e2a64bfcf9f1c7968505af073ff5e544e5ded7f09a06c44f000f03342

SHA512
d1cfaeb1e1bd94a7d3900cf2cdd0e1bce3bc5b7f1706d1bcf63b742a10aa308a6155f6c1f0c01688eef45207015eb22fde98c7caa48a8917162018d35cac6392

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
d9c73587854128879d1afb8942390554

SHA1
b8fc994ab28fd0ddc9af2e26cbf52acdaf4e8679

SHA256
a7cd089eb4354665b26b5fea2563a736b1b5c6df3934a997595a52c0164dcf3b

SHA512
80a6243df1d8c414b4eac5618fca66213041c7ce82e19e6c184d7e87de65a84c22ecbcf89a3ffadca5d34cf978b3f5ab32631d942bdf469c6743655a87623464

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0c2fa92db550293aabae8868ebecf12b

SHA1
a662c3933f4982d271b525901eb2a851df18dd52

SHA256
4363e722b9b13b23222fbbdeac66e94c1ed443e31dc8dc5522b9e5dc4586475c

SHA512
32d6ec6d2acaccdf810f8a8086df661bc4a676f116dad1f515df64af3ba592de91bd94d3ed6c302d98d80760bca0a6fd04704c6fa22435260b191f200e904d84

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
1262006bf4e41de98aa39992f232feac

SHA1
79f8e063ac6a320745279252de602d58bc9eb385

SHA256
d81144b8e5e42bdf3e23fbea01f6c9a886e9964c120bd855c10d864e869e2098

SHA512
832b22e5311aef82bf1cdccaf2619329efc87b75b984abfa71e224dcaa5a494ba3b080df46f2a257d05d14a31da91dbbd1272863203ac9978f71275f87e22bf9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7412c9a349b0995d71c32a1ff42c8ca9

SHA1
03f536172dffed6201c2496e61a1f1855bbef8df

SHA256
ccc8c6b8f81c393c6b06ab00e7f45f207bebe0a24ea68b3877cbeaaaf37514ff

SHA512
fa9cf693045cb560625c4756865b7590b65a35dcbd6e2197167c3f48b6243925afe55d5ed04cd9db01732a6fc936be5c3e384621c0c43f9ed6ea31c9d8450846

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ec6a3aad80a0381c6b52d884cc4dc38e

SHA1
ba5572cad448d7a75af6a1785abddee5f9aacf94

SHA256
045a5955f3c84c2cfb7756356809c296d98287f117636056abcaa437182cdd84

SHA512
e9ffd33709c4fee826b65ce1b1f2b99d8a00397e7987cc0314668fb841b295839f07a4d99ddf5862298c8c3a7af8130fcb40605ab332e005044c6e4fd9cea787

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
f0e6a13c7d1e3f2b013f5d3d25324ce6

SHA1
67041db42281a6ad6ac31a1e034afa8dc25084a1

SHA256
c2d6e72d1d7302fe3ffdf37b48b14959292f026914be704afbe65fcf98256b0b

SHA512
7662f8aeb89db732910d384bfdf430398a9c2b3507980afb93935bab9bc0113977e0b493869898f14b7b003381753d618d3136319d4455f82360d23068d46d16

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
cef023555b5342cc223216bcae4724b2

SHA1
c2e4a0bcfb1dc98b2bbeb4f1e0b61819cf546663

SHA256
67082c35a53e4f6a7dfafd0d12f802d45ec9eba779a2c7826e60f528379cdf52

SHA512
b9c9a29b466a8ad648176ba99c2c96ff93ed52286c0a967a7daf44eb172871994fe9d3bf312c998c8250fe7b1d863cb81b76e5b7b93fef8a6ebab73c288cb31f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
1e3ffe0dd3a363e4f3b445058f6add59

SHA1
e8702910428158617f4f4a3bddfd74ae53da5c2f

SHA256
a7c3a9fc417da2f727c10603f5d4fd33fd5abbed2cb5ce51cebc0c022c7aa816

SHA512
2708e380929324d545394efd20a60dc292716337bea19f44c0f1e12034ba5f5bcd6d103af27c25879d1a38fee00971d4d177a2520d1e4050905f3a51ffdf9fcb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
375a6e32382d2a4e10f446a9921399d0

SHA1
f706e651269dbcf723bbf4c35f289e31909f79e6

SHA256
c95c9ea2231f9ab4cf335b71338a7ad232d175c15db62443cc992247a4d7eab1

SHA512
198389c5b188b319ba0af61a9e2c7857ef89da6c86f1aa6577fc9440b9621f61e25e3b48acd5ad98780296693b81da1f7eeb6a57e96cc6fa95f1819ab24ccd12

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.9MB

MD5
6a39d755ec5ac352b5ebb7ab32c1ab7f

SHA1
ba433610dd9996356006532047d4b077c9aa0f5b

SHA256
9f8fe80be59301b180485eb4c63c245c6716f2d65cf0023c567189cc2caefebd

SHA512
409c124629308496f66dcb1c4d31ecdc0bb4b99920db4e8cbf9690d26fb7fc8447a1af1c1548346a033c1f14011a2d18bc723cb75a0c27d3800b83ceaa524860

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2c4ab50567649e4b4058d7c0872c31dc

SHA1
9971a8b0e1f1ea7935ff367d1c64b75eaeb7dd18

SHA256
3f736ee818d18e1f11135e22e999454f064a9d6754ac67b4f8bab8192966ee5f

SHA512
719a74c0ef8cc4073485df472525a6f79e48699968c1ea70fe1b25dcd68f9ee885bde7df012f0d842c42c183d9977d76682890c95662c24ada60f061d63ac782

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
2f966568c9d207471b13e153fdb25df2

SHA1
b5c7cf29c4923b70729037f2e104e91ab3c463ba

SHA256
d0548a76f5a1caf0c5aa11427e5429e377a8cdc90bf180bdcafde67d75096876

SHA512
fb4e2e3eb62ee9f0ad944a2f4150d56dc2f5586adb9e81fecb1a09ca3fc9a53990a7ce24a0aef509992bf79b1d5bec1e3510ddfc639ec64cd7e9ebd43f7c6eaa

Download Submit
C:\Windows\Temp\CabA554.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA5F2.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
759KB

MD5
37c49cf471f7ad881127f9e38bed1a10

SHA1
473c3a7a28d138ccfff0d971a1ce9360ab990aba

SHA256
9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369

SHA512
e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\110da956d71d8525ba5fc64c9768de89\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
fd68469504c8750b48b2abc4c204ceed

SHA1
245d4d94025bb77cbd6863029dbfa585ae50dbfb

SHA256
d094ec2602d9162729fa6f8229af0f672e22d3a5d1b60dc878fb2193d35b4801

SHA512
0138157bd32655fe0da1e32c6f79055e0c1670572da90fba3d5e3d7274b47e99077a7f0dd80be957c3ab0774ae37a9a7645f84086428577f31ca58cdfb452690

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1efda3934923cfbc101b5b5d02b9fe53\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
608f5782358919365a6f1be6242d147f

SHA1
faa20a28bdad5bbbc6dd4079da813b9b6ed39656

SHA256
21e20c81e927fb90211e13fd8284a73b1d9d9c430db6df7e84a53c00fbb3a989

SHA512
5e3adb17a643c251289eaf082fb15ea989656832bdabf15802c03e92f3fd2718a9ee7e5afeb51d707df53792055cc763b293c9b4777a8ac341e39d40af19502e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3d44bef21e2ba4ac9ce65880200ae493\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
6126ccc87fc658f8eb52227d28317f8f

SHA1
a037b7cb597c91f665a87af05e5901bc3729a247

SHA256
e4c34bc0a99d3676c3b1569baec89024ad2d7e4af6c0a2566b19bd0f7dea0492

SHA512
537b8c0d20371511a974ffac50a05d8218c9529c3024be549d2af6758d34ddb54e9f710bc355c0fec4243fe90445c0c500a6da34370b25fda0d386dd0d8130fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3ecb155761b697ceb0811dabf8523a09\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
caecbfae1cd0ea9f37bb0738503ccade

SHA1
effee7be629a42b516b007ebfe0e3173a2f379b5

SHA256
c151b925968e4f4e69b0efe0638f9fb29df4c3da7ad04d6cd8a72bac1e1f256d

SHA512
79cf0e1dd52b8a22adaaf9581effcd3c8a84d997089cbf9e0f654b57dcd5b881c5aa9f7adc2545da464fb8bfcf1ef18732c1fcefe61e9138774ff955fb8c8f2f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
220KB

MD5
5c35887a0b76108f6fb6daac51256ef5

SHA1
3be6ece2f60d205bcb955a5da0aa182d83cc1899

SHA256
9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a

SHA512
0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
229261a5d93c3c67673d9ffad3879d5a

SHA1
f9b251694c0bb6c7279bbb45f9721da990367261

SHA256
ff752f70d24c3120bc9a064210e4d9e4c75eb16a2c191f945705c25403cb48a9

SHA512
5f99cd4fbe3a7e1e4d11b9fe52788370cf398da1c522c0f947e2b0c54a1aa0c9dbc1db223832923af59ecd27ff9e400f39d72bab48bd4a412a21d0069edec213

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
47e5fd928e6c868cda1ed94282807650

SHA1
50632f51cfead0f72f3e478019466944ad47eb54

SHA256
0c3aac106855083ea8bf8b92f95273ec85a1b15953e6d49d527c9ed59751fdc5

SHA512
cfb0e85c2eff8c8c7179bf7a166f467d7a45ef0b450dc80d6848d7a6aeecd5fba44e60bc22d2fc092cfbb85ec7bc8071d58247377222936e9d914fb0acf32265

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9b586e21bccd767fb56cd7c722c0949e

SHA1
2580dadce1695ff7b21d935b3d30a7ea306788a6

SHA256
7103ccd07833091fa62519ec60591955fda1dbde96cf6b4171af361b3d892f90

SHA512
5aee51bec7caf2d1d7fc1b5fa404c4d7916356558bc7f5cace5726edcb0b8fce2b1505ae04a3707a625b0b960409b4b25820b18ca719b42aceb0ccb2ee5590b9

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
961a0e37afcb1ced1c5bb4e01549fa5f

SHA1
fd50f64eca47ac090a6a115721b99d9b5d996f08

SHA256
ec1048c18849cf39b0b6bf4f4ce3cbead61de8f0e471497f3813497e4c7b01b4

SHA512
4d9a494629280b15562712031965b97fea43d9aa2e55c2c8dfa24a38b56efeda8b6ef6a850ef3702795c0e612f827aa56c46b1917bcdbc588a7bf658e49759a9

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
5b2647510af04884a0862981c52f34f2

SHA1
46063e606ab1da2b4294075c0b7ffc53235b7bea

SHA256
3f6829798831b4be6c121199eafab408483d55160366d3e78ce67939cb8addfd

SHA512
8e8cd1052148c042594634b1c9d15746bef7d868419c7a8518bfb04b29a361a519870fde7e24f019518b2eb85669eb485d6e9ff002bc21216c1f9dfcb8c7db7a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
9b0b31b897cbba6b71ff7057673d1664

SHA1
154ba27f1145f365da5845df6302df72ef9188e6

SHA256
de326a180daf02360a930f297550bcb4804a100cfdbc993cfe6239c8f3d64137

SHA512
1defa8f20a061640aebce1aeee7d7fcfaeda8398d2d032194ac7be5a9a3948cb71bc892ddbf77fa1ecf6bcd516b12f103d0f292c1be8a9ab50006a21a619a427

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8abec0611657269404e6f14b919fcd16

SHA1
840fba3afc9bf49b96b99588ef78ed19810db08a

SHA256
5931fb27db5151f10ed88921f2d55e1182505d742aa0dcbcc99535fc79325ae2

SHA512
abb54997d83624fae364d0540fa275a56591d54aafe1dd8c4897d5f8b574625723fb93673e12435cba115fbde1c6b3774ecb9a321c2fb5bbdb7f98b03da23c7b

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
d2f1473255f44a8cda7461b85f1b1a31

SHA1
103c2f73dfd997e7e009e1effba34b9f37c639b8

SHA256
940a281df891d349b254440ab6b1e99273b7daf4dfb4af77d120bc91f80ac2e0

SHA512
5d1b13cff9073e932b0a92584a0fb3aeec34141debac7580b84b3c41e015cb67a45ca2e66c0ab3ab87752bbb7d9748fdcec089c23cb7224806c24d815aa69e12

Download Submit
memory/544-621-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/544-614-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/764-314-0x0000000100000000-0x00000001001A4000-memory.dmp

Filesize
1.6MB

Download
memory/964-264-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/964-146-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1168-75-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1168-201-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1168-80-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/1168-74-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1512-772-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1512-742-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1512-780-0x0000000003D80000-0x0000000003E3A000-memory.dmp

Filesize
744KB

Download
memory/1512-783-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1600-595-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1600-235-0x0000000001000000-0x0000000001176000-memory.dmp

Filesize
1.5MB

Download
memory/1684-633-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1684-645-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1712-667-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1712-679-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1752-1003-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/1752-1002-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/1752-1000-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/1752-1001-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/1816-239-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-118-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1816-945-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1816-112-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1816-117-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1852-660-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1852-322-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/1920-310-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1920-183-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1924-702-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1984-156-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1984-278-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1984-939-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2012-682-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2032-182-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2080-635-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2080-656-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2080-722-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2144-759-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2176-232-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2176-97-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2176-92-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2176-99-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2236-632-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/2236-265-0x0000000100000000-0x00000001001F4000-memory.dmp

Filesize
2.0MB

Download
memory/2252-692-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2252-791-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2252-794-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-739-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2268-604-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2268-617-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-313-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/2284-315-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2340-570-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2340-9-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2340-64-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2340-568-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2340-0-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2340-8-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2396-134-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2396-884-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2396-252-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2476-671-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2476-329-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2484-261-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2484-624-0x0000000100000000-0x0000000100176000-memory.dmp

Filesize
1.5MB

Download
memory/2560-103-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2560-55-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2560-56-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2560-62-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2604-768-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2628-211-0x0000000000540000-0x00000000006D2000-memory.dmp

Filesize
1.6MB

Download
memory/2628-586-0x0000000000540000-0x00000000006D2000-memory.dmp

Filesize
1.6MB

Download
memory/2628-199-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2628-481-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/2640-40-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2640-45-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/2640-39-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2640-613-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2640-72-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2640-240-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2684-213-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2684-592-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2748-1040-0x0000000001A60000-0x0000000001A6E000-memory.dmp

Filesize
56KB

Download
memory/2748-1042-0x000000001AE80000-0x000000001AE9E000-memory.dmp

Filesize
120KB

Download
memory/2748-1039-0x0000000001A10000-0x0000000001A28000-memory.dmp

Filesize
96KB

Download
memory/2748-1041-0x000000001AE60000-0x000000001AE7A000-memory.dmp

Filesize
104KB

Download
memory/2796-719-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2816-27-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2816-28-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2816-36-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2816-133-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2880-1016-0x00000000019E0000-0x00000000019EC000-memory.dmp

Filesize
48KB

Download
memory/2880-1018-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2880-1021-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2880-1015-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/2880-1020-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2880-1017-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2896-873-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2908-186-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2908-328-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2920-20-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2920-22-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2920-14-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2920-90-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/3024-655-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3024-659-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download