25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Size

1.2MB
MD5

a210b365dd3c78d83c073713c8b73870
SHA1

e628721f705a883826527ee805105a0fb9d028c8
SHA256

25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1
SHA512

6256e863eeff690b8e9a02d1ace56bb2492fa0f534edc9fd42ec987bd8ec156ebdc3116be3ecc50596132c50f517e6c2557fa78f5c0c1ab2cbd8d20580365922
SSDEEP

12288:NdBMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:HaSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2144	alg.exe
2684	aspnet_state.exe
2564	mscorsvw.exe
2720	mscorsvw.exe
1864	mscorsvw.exe
872	mscorsvw.exe
388	ehRecvr.exe
2196	ehsched.exe
664	elevation_service.exe
2020	IEEtwCollector.exe
1360	GROOVE.EXE
2924	maintenanceservice.exe
1748	msdtc.exe
2172	msiexec.exe
2592	OSE.EXE
2612	perfhost.exe
3024	locator.exe
2388	snmptrap.exe
1628	vds.exe
1900	vssvc.exe
1656	wbengine.exe
1508	WmiApSrv.exe
2924	wmpnetwk.exe
2692	SearchIndexer.exe
908	mscorsvw.exe
2884	mscorsvw.exe
2628	mscorsvw.exe
2540	mscorsvw.exe
2856	mscorsvw.exe
928	mscorsvw.exe
1920	mscorsvw.exe
2752	mscorsvw.exe
1448	mscorsvw.exe
3020	mscorsvw.exe
1728	mscorsvw.exe
2620	mscorsvw.exe
1796	mscorsvw.exe
2236	mscorsvw.exe
2588	mscorsvw.exe
1760	mscorsvw.exe
752	mscorsvw.exe
3020	mscorsvw.exe
1728	mscorsvw.exe
2232	mscorsvw.exe
3016	mscorsvw.exe
2008	mscorsvw.exe
2860	mscorsvw.exe
2520	mscorsvw.exe
1384	mscorsvw.exe
2904	mscorsvw.exe
2132	mscorsvw.exe
2328	mscorsvw.exe
2888	mscorsvw.exe
2996	mscorsvw.exe
2992	mscorsvw.exe
548	mscorsvw.exe
272	mscorsvw.exe
2780	mscorsvw.exe
2124	mscorsvw.exe
3044	mscorsvw.exe
2620	mscorsvw.exe
2644	mscorsvw.exe
272	mscorsvw.exe

Loads dropped DLL 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2172	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
760	Process not Found
2996	mscorsvw.exe
2996	mscorsvw.exe
548	mscorsvw.exe
548	mscorsvw.exe
2780	mscorsvw.exe
2780	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2644	mscorsvw.exe
2644	mscorsvw.exe
2036	mscorsvw.exe
2036	mscorsvw.exe
2164	mscorsvw.exe
2164	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
1624	mscorsvw.exe
1624	mscorsvw.exe
1128	mscorsvw.exe
1128	mscorsvw.exe
2980	mscorsvw.exe
2980	mscorsvw.exe
2516	mscorsvw.exe
2516	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
1384	mscorsvw.exe
1384	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
628	mscorsvw.exe
628	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
1168	mscorsvw.exe
1168	mscorsvw.exe
1700	mscorsvw.exe
1700	mscorsvw.exe
2856	mscorsvw.exe
2856	mscorsvw.exe
1292	mscorsvw.exe
1292	mscorsvw.exe
2240	mscorsvw.exe
2240	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\17e381828464adf2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\vds.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\locator.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	aspnet_state.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9DFE08CC-30AD-4427-BBD2-AE53EED44C59}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A0B.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8D03.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	aspnet_state.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6355.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index161.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	aspnet_state.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4B04.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP428C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index164.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP447F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index159.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4E9D.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8EB8.tmp\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008028b68d6d0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1652	ehRec.exe
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe
2684	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: 33	2248	EhTray.exe
Token: SeIncBasePriorityPrivilege	2248	EhTray.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeSecurityPrivilege	2172	msiexec.exe
Token: SeDebugPrivilege	1652	ehRec.exe
Token: SeBackupPrivilege	1900	vssvc.exe
Token: SeRestorePrivilege	1900	vssvc.exe
Token: SeAuditPrivilege	1900	vssvc.exe
Token: SeBackupPrivilege	1656	wbengine.exe
Token: SeRestorePrivilege	1656	wbengine.exe
Token: SeSecurityPrivilege	1656	wbengine.exe
Token: 33	2248	EhTray.exe
Token: SeIncBasePriorityPrivilege	2248	EhTray.exe
Token: 33	2924	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2924	wmpnetwk.exe
Token: SeManageVolumePrivilege	2692	SearchIndexer.exe
Token: 33	2692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2692	SearchIndexer.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeDebugPrivilege	2144	alg.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeDebugPrivilege	2684	aspnet_state.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe
Token: SeShutdownPrivilege	1864	mscorsvw.exe
Token: SeShutdownPrivilege	872	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2248	EhTray.exe
2248	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2248	EhTray.exe
2248	EhTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe
3048	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3048	2692	SearchIndexer.exe	57
PID 2692 wrote to memory of 3048	2692	SearchIndexer.exe	57
PID 2692 wrote to memory of 3048	2692	SearchIndexer.exe	57
PID 2692 wrote to memory of 1632	2692	SearchIndexer.exe	58
PID 2692 wrote to memory of 1632	2692	SearchIndexer.exe	58
PID 2692 wrote to memory of 1632	2692	SearchIndexer.exe	58
PID 872 wrote to memory of 908	872	mscorsvw.exe	59
PID 872 wrote to memory of 908	872	mscorsvw.exe	59
PID 872 wrote to memory of 908	872	mscorsvw.exe	59
PID 872 wrote to memory of 2884	872	mscorsvw.exe	60
PID 872 wrote to memory of 2884	872	mscorsvw.exe	60
PID 872 wrote to memory of 2884	872	mscorsvw.exe	60
PID 1864 wrote to memory of 2628	1864	mscorsvw.exe	61
PID 1864 wrote to memory of 2628	1864	mscorsvw.exe	61
PID 1864 wrote to memory of 2628	1864	mscorsvw.exe	61
PID 1864 wrote to memory of 2628	1864	mscorsvw.exe	61
PID 1864 wrote to memory of 2540	1864	mscorsvw.exe	62
PID 1864 wrote to memory of 2540	1864	mscorsvw.exe	62
PID 1864 wrote to memory of 2540	1864	mscorsvw.exe	62
PID 1864 wrote to memory of 2540	1864	mscorsvw.exe	62
PID 1864 wrote to memory of 2856	1864	mscorsvw.exe	63
PID 1864 wrote to memory of 2856	1864	mscorsvw.exe	63
PID 1864 wrote to memory of 2856	1864	mscorsvw.exe	63
PID 1864 wrote to memory of 2856	1864	mscorsvw.exe	63
PID 1864 wrote to memory of 928	1864	mscorsvw.exe	64
PID 1864 wrote to memory of 928	1864	mscorsvw.exe	64
PID 1864 wrote to memory of 928	1864	mscorsvw.exe	64
PID 1864 wrote to memory of 928	1864	mscorsvw.exe	64
PID 1864 wrote to memory of 1920	1864	mscorsvw.exe	65
PID 1864 wrote to memory of 1920	1864	mscorsvw.exe	65
PID 1864 wrote to memory of 1920	1864	mscorsvw.exe	65
PID 1864 wrote to memory of 1920	1864	mscorsvw.exe	65
PID 1864 wrote to memory of 2752	1864	mscorsvw.exe	66
PID 1864 wrote to memory of 2752	1864	mscorsvw.exe	66
PID 1864 wrote to memory of 2752	1864	mscorsvw.exe	66
PID 1864 wrote to memory of 2752	1864	mscorsvw.exe	66
PID 1864 wrote to memory of 1448	1864	mscorsvw.exe	67
PID 1864 wrote to memory of 1448	1864	mscorsvw.exe	67
PID 1864 wrote to memory of 1448	1864	mscorsvw.exe	67
PID 1864 wrote to memory of 1448	1864	mscorsvw.exe	67
PID 1864 wrote to memory of 3020	1864	mscorsvw.exe	76
PID 1864 wrote to memory of 3020	1864	mscorsvw.exe	76
PID 1864 wrote to memory of 3020	1864	mscorsvw.exe	76
PID 1864 wrote to memory of 3020	1864	mscorsvw.exe	76
PID 1864 wrote to memory of 1728	1864	mscorsvw.exe	77
PID 1864 wrote to memory of 1728	1864	mscorsvw.exe	77
PID 1864 wrote to memory of 1728	1864	mscorsvw.exe	77
PID 1864 wrote to memory of 1728	1864	mscorsvw.exe	77
PID 1864 wrote to memory of 2620	1864	mscorsvw.exe	70
PID 1864 wrote to memory of 2620	1864	mscorsvw.exe	70
PID 1864 wrote to memory of 2620	1864	mscorsvw.exe	70
PID 1864 wrote to memory of 2620	1864	mscorsvw.exe	70
PID 1864 wrote to memory of 1796	1864	mscorsvw.exe	71
PID 1864 wrote to memory of 1796	1864	mscorsvw.exe	71
PID 1864 wrote to memory of 1796	1864	mscorsvw.exe	71
PID 1864 wrote to memory of 1796	1864	mscorsvw.exe	71
PID 1864 wrote to memory of 2236	1864	mscorsvw.exe	72
PID 1864 wrote to memory of 2236	1864	mscorsvw.exe	72
PID 1864 wrote to memory of 2236	1864	mscorsvw.exe	72
PID 1864 wrote to memory of 2236	1864	mscorsvw.exe	72
PID 1864 wrote to memory of 2588	1864	mscorsvw.exe	73
PID 1864 wrote to memory of 2588	1864	mscorsvw.exe	73
PID 1864 wrote to memory of 2588	1864	mscorsvw.exe	73
PID 1864 wrote to memory of 2588	1864	mscorsvw.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe
"C:\Users\Admin\AppData\Local\Temp\25b53a3acec42433f525ef9dbfad6d3590754906b04bffd6d580b77c8a5575e1N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d4 -NGENProcess 1ec -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 268 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 264 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 23c -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1e0 -NGENProcess 204 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 1c8 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 204 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1c8 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 204 -NGENProcess 1c8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 244 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 1c8 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1c8 -NGENProcess 244 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 27c -NGENProcess 260 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 244 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 244 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 274 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 258 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e8 -NGENProcess 2d8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 258 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 258 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 258 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 258 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2d4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 258 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 32c -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 310 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 330 -NGENProcess 318 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2cc -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 318 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2cc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 318 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2cc -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 318 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 34c -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 340 -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 354 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 35c -NGENProcess 340 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 36c -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 340 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 354 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 368 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 354 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 340 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 354 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 388 -NGENProcess 340 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 380 -NGENProcess 398 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a0 -NGENProcess 368 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 340 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a8 -NGENProcess 380 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 390 -NGENProcess 340 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 380 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 340 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 340 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 380 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3d4 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b8 -NGENProcess 380 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b8 -NGENProcess 3c4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 368 -NGENProcess 380 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3e0 -NGENProcess 3d0 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3d0 -NGENProcess 3b8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e8 -NGENProcess 380 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 380 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3f0 -NGENProcess 3b8 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b8 -NGENProcess 3e8 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3f8 -NGENProcess 3e0 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3b8 -NGENProcess 408 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 380 -NGENProcess 3f4 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 40c -NGENProcess 3fc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 410 -NGENProcess 408 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 3fc -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 408 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 3f4 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 3fc -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 408 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3f4 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3fc -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 408 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 3f4 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3fc -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 408 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 3f4 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 3fc -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 408 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 3f4 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 3f4 -NGENProcess 448 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 458 -NGENProcess 408 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 408 -NGENProcess 450 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 460 -NGENProcess 448 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 450 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 448 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 45c -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 448 -NGENProcess 45c -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 47c -NGENProcess 464 -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 464 -NGENProcess 474 -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 484 -NGENProcess 45c -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 488 -NGENProcess 480 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 48c -NGENProcess 474 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 48c -InterruptEvent 474 -NGENProcess 484 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 494 -NGENProcess 480 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 480 -NGENProcess 48c -Pipe 490 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 49c -NGENProcess 484 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 4a0 -NGENProcess 498 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 498 -NGENProcess 480 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 480 -NGENProcess 498 -Pipe 4a8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 498 -NGENProcess 484 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 4b0 -NGENProcess 464 -Pipe 49c -Comment "NGen Worker Process"
  2⤵
  PID:948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4b4 -NGENProcess 4ac -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 484 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4bc -NGENProcess 464 -Pipe 494 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 464 -NGENProcess 4b4 -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 4c4 -NGENProcess 484 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 4c0 -Pipe 4b0 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 4b4 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4d0 -NGENProcess 484 -Pipe 480 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 484 -NGENProcess 4c8 -Pipe 4c0 -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 4d8 -NGENProcess 4b4 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4dc -NGENProcess 4d4 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4d4 -NGENProcess 484 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4e4 -NGENProcess 4b4 -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4e8 -NGENProcess 4e0 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4ec -NGENProcess 484 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4f0 -NGENProcess 4b4 -Pipe 4cc -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f4 -NGENProcess 4e0 -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f4 -InterruptEvent 4f8 -NGENProcess 484 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4fc -NGENProcess 4b4 -Pipe 4e4 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 500 -NGENProcess 4e0 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 504 -NGENProcess 484 -Pipe 4ec -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 4f8 -NGENProcess 4b4 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4f0 -NGENProcess 508 -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 510 -NGENProcess 484 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4b4 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 508 -Pipe 500 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 484 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 4b4 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 508 -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 484 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 4b4 -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 508 -Pipe 518 -Comment "NGen Worker Process"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 484 -Pipe 51c -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 534 -InterruptEvent 538 -NGENProcess 4b4 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 53c -NGENProcess 508 -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 540 -NGENProcess 484 -Pipe 528 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 544 -NGENProcess 4b4 -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 548 -NGENProcess 508 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 484 -Pipe 534 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 484 -NGENProcess 540 -Pipe 554 -Comment "NGen Worker Process"
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 538 -NGENProcess 550 -Pipe 53c -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 558 -NGENProcess 548 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 55c -NGENProcess 540 -Pipe 4b4 -Comment "NGen Worker Process"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 55c -InterruptEvent 560 -NGENProcess 550 -Pipe 544 -Comment "NGen Worker Process"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 548 -Pipe 54c -Comment "NGen Worker Process"
  2⤵
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 540 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 550 -Pipe 538 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 570 -NGENProcess 548 -Pipe 558 -Comment "NGen Worker Process"
  2⤵
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 574 -NGENProcess 540 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:2328

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:388

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1360

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
51d04c2c6ec4e54afa6d2a895d86a937

SHA1
c547fbfe4b19b8e2b0486300588cf28525eb02be

SHA256
b1dc409d13de0bac1a0fe16763f5151b02b621b19313d8fb7786df080640447a

SHA512
d876557379c081ea5e33192e839a5c7508350aa1f78e00ee60f5a5d1de88ebd2e3bba7a81b7dddfd554b4d868112add951d84244508cf0980c56a94858dc3f5e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f2b5cb48e21212d37c7db9b4bf303562

SHA1
ac76ee3450c70625dc2c678a7adc97c6de904624

SHA256
9987e34844adf4d65faa0f373cdca124b49304b26a5f4d2f13883e8d0b3df3c0

SHA512
50ef3738aa909c198046f95530596f4dc1502e0b1bc4d0ad30ec1a4c7bc1e7468da3d9314a15db02aaadd8b89117e057bda84fe61e5d9099e8e319feed0606ae

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
47bdb0067ec69050913855cc74d6ff11

SHA1
3a975258d30ec769ce46c0a8ef44226ce3b2c5c0

SHA256
ef175b7eaf8a0ce67a56c70a89e0fdd24f8f9e490c6150c9a034e42730c370d7

SHA512
d48e08677ca5e59b1f79a624ea7ac1db3b6b6add77f51b45195f6ea713ee462c7b344c6d1c1507ed294becb05cd80549c2ba87363b9a6359a212e3b2420802ea

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
f4dd6f95447f3d56ae64a31385d7f957

SHA1
02b85b51b09c09f645eec54b15db489531aed39d

SHA256
643354757b83087cef6a16b4ad39b9cf5b10566531e1e84a81beb320052ec954

SHA512
60231c5bb69b601250b56026bbf4b13864003545e2702a358072aafa095914de6d9bf94e419ea4cbbd4d99799d1439b9a39a51de56601de02c3ae60c9a31e182

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
0a390e571c1fd2878e1315fd92e22bee

SHA1
e1d13cb295ad089de3be932eb9974e3203083535

SHA256
f24d5769a040ae7dee2565f0508a6bee8ed01b31ec8252520e2aa849be8a93e4

SHA512
5d7bdd944f5eec2e85181fa5f2f980b3acba5568b2378183ca5ffeb016c316ee53051f6937a68686eba30f0a71432fbd25aebb498094120f18eb3bd63720e4b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
f12337f699b2385fdfa798558a7da3ed

SHA1
a81f04553036081aec56b55375d08290622a76a8

SHA256
f0497d8ba4142e56d4302e6e480fdef7346ea849954a9dffeecc90a0e2c14ff3

SHA512
f370a34a212bf4d0fbe76716a20c9b35b2a160755d742c70d369e86f8f723953b3d1aebc9bc59f33ccb2702614865dec7c7c3de332983206834d1c1b844090d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
75371abea615e5f442176257946b59a6

SHA1
7e6548329a180d86b2f0ff4ed6b80e1c7275af01

SHA256
b9985f4e02ce97b73bde52129227b0c5b17d0d769cc416f48eb8b651120b1ad6

SHA512
734e170902938f7850981e67f8542ac5a022de3ad32eb095631f9b56da188d7bee21937bd11f094966eede87eec225e7228b5ef4e848804dbb49d9804befe27e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b22023b10d975378273c1daa3379d21c

SHA1
9e830ea19a0efbd0f593e0e44a5982f5d8e9ccfe

SHA256
673fcc1965e16b40d19c87ba2a2c3d923fdf8f5fbe3af9cc863f15af9f58ad50

SHA512
981d60e0b97bcac858199533f4d543908d182ca59d86f401e9a2c1ece3e9a8f3485bfbd986194bdf721d61b1f599c22b59a7d221e79e4872e444a4be4fc6b0ef

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9c8516c57928c760e42423eba3715603

SHA1
537bbe7b14a735f6715736df5df41eeee95d48f6

SHA256
331eec1261daa40b5bc9a728ad82db60388a1f04c7431da9ffc16457b5a384e7

SHA512
430abb7f7fbf99c0516d05ce3e989bfe2098006f8ac2372428987060bccdd5bb5e30f2f77f16c0c33ca2ebb23776ccad129bce75256a1a0388f8865f46090147

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9dea458fded8044268c6366a05d5826f

SHA1
aef3563029d73472213ac5b00b9dd411b4fed7d2

SHA256
817d33c79be120c50c67bcbc77d421c6706968671410403919b13ebcda10152e

SHA512
5aedf79babd5653c20df1c727646e6f66fd5439d7983eb6fa9aa5a6ee25d60d6c9c515ba9be573bdeee1893e21004b0d3245a4229ca1010c2e894db381e590eb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
358cdf4afb5b41d838a0b2ae70fc59b1

SHA1
b14b71333a3bd8a651b4a0e7ee1b001242b4c8fa

SHA256
f5816454d6c4901b2490eda9543d1f778fe19e2a878b39d52e958d3803fcf358

SHA512
418d70f23e15c9c2c1eaf879e87d4e58e4df2d1278e25e0463a2355e558991cba1f9d7a1b6b6a824b812d12c951490573eb5459a931c29d2cdb0b9b327eed417

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
1ca3b9442188176831512dc03d2e632d

SHA1
70107f7e1daab7faf848c3eae20ac4d3bd282806

SHA256
b9b506e127a402cf9378500a3c404c42774fc0280710ce826cc9022ca624448e

SHA512
154da52d56105a5d96c8aea7afaaffc8205b148a53e8efad2d61643a14999429d05e322421a03ee5415edf41825c5c8a90f1f961710b1ca03b2e486e82a6349b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c81ce286bb8ac901032e3b9f5060de3a

SHA1
eed74aa0d9c1507d98f720dcc5b63ca3771e0531

SHA256
eea8c565d4e141f923b71ecc99fceb5ee2dee4ba62eaf234cd722fed52386737

SHA512
f62b5f96f95622daaef0b3eb244a6870038e03f214020a61124332e6f6dd1dd8ed2144881d959709727e3db1f2e7de062a622365a77d46d8d894e4fadb0eacb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
301423ab90a61835035c97d5e54bdc8d

SHA1
765591c6f5a3095493844d60b49504e92256521c

SHA256
a21b427c09ef3e067b71b73bb72779879331430c1393e681df8786835cad0a39

SHA512
1fb14925399b099da7536a697a581a4348fc8271fe314d87568ebf39c4d496e6c5088c038b42d7e67a4002bdaaa473395c24f711a7eeb1eb4e469632ea717f2b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b38595f1374108449409ac5141f63d67

SHA1
08f7c242093dd1835c8133221ba4e05604156c0a

SHA256
a78c02741af7f929d85b3478176be5eed4a12773071772836f86836a58dcb343

SHA512
db4c7baa63d2d5cc09a3341210af8c041667b15318900be911e9d90dc15f773892ea7900734bf5d67529f6a2ec0266524470e5afeba89ab188502e0eb82d306f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
45a364e3973e12443170af6f448a40da

SHA1
7d307ef32e2815dbad376e97f94e04ad14bf8c85

SHA256
3e7f4fc317b31b848bae863dd066a087cf7771f23b6a36fd0704f96d17781fb8

SHA512
a2d0750ba8682236349301b49ced0b62a7538f196950c71d41e023fcaff17ce060c059d3552ae06f0d940671101ce9c8f90f38626edcd47c609dc8e6207c56bd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
240c929f3fe2eda0c0783c5cb777c0ba

SHA1
18919f12d09cea1ea3cd7331ab63f47a52c0d103

SHA256
c4df88b33ff6eaf2df298f7d4d2322ee3162e1a8a8d20d1c4ae42773d7fe4e81

SHA512
0299a4a490620c2030f61f37d5d42481cbb04f6818201a067c22ab23245b9ea443fe5f4dc3e8c1cf20437bb41af39204910daa5a73ff60704e19dfb692582648

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
db8b43fa54fdf8129a1a878f09fec6eb

SHA1
0131fd4fa23abe14f29a1ba317a906bba9a21a06

SHA256
5ed37c111db30df02c5783d2b8ee7c05d27d79ef432891b3d789185e669eb3ca

SHA512
e21be816e93fbb14b6c947283c1d29369310b1d6e3bab117b6f3b6b6098138c2b1538fd10286138431665e2ddbb99549fdf0c293dbffa061ec3b4ec5b40824f0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
a457fa914c2dbd5196fc1b1fa4b565ea

SHA1
c3c8e4ed1a3d9464a97c689584ce6a9d8fa7eff1

SHA256
3468f95f494f3314eef4a800ca526795d6c7678001271550abb911ff58d78a06

SHA512
a9db70e324d3141d11281d6870f3977a847a6c3d75ec6936ca6352b78e2d98583da9a319688bdd00f47debaf6cb793c96c35b1283a39c59179e94816dbbdfc00

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
96073ea1e1c77afbc9c56fe555d0f06f

SHA1
cb9de2f43f4e3d20068ac1d4396ad642736d97e8

SHA256
7fe96e34bf2aff6603d3ca5dfa397580168fb25f2fdcadb27779cc9dcda2154c

SHA512
5d74bde10d0b8c7dd4f60a26322f4c8682514126b727450b9237894ce9cb7444f23d3542cb9a99a8b7e3a7adc2746f5de0bf216ab66eae4767c7bf9901be81ed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
83beaf0fc0a06b4f97a222939d535fae

SHA1
794193923aff28ef8bd3738bbb32e25441ba545e

SHA256
dd7ac5729d6b546ac0250d9d588d02fa9e57c8b42b94cea9f25ac836d1e1e165

SHA512
9c1df9be9b974e8d01799ef0bb48984575f4a061affa8047c6faa54eba98f42dee2a6bbc9a78dc4e07ebb1731b459dd309d4db6f409cf79eab95496d025b8baa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
eb4e6cb507f1ab218ddea5d2b3e62890

SHA1
5e3e0f31ca1923c3e082da85d59750baf9f069a4

SHA256
5142c0b1694e5a3d98763339e31d094aa264ce90f6f2a149431f167d23034d6c

SHA512
d56207848d4c7a72815bad1da857b3318a6606d8e1454b14ec6ef56aa5fa12d471a12124e3109e2a7e9571fc0584f0048e0027e69cf4a818fa34aef628565bed

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
0c57af83c66447144e2d82d02297e506

SHA1
dc9058a40f7d7eb2fcccf84f645d99d3a3d6cab9

SHA256
808d5a0d83d72e775dbdb581629cf92c2640f32e8f811e38638c130bd1e446b2

SHA512
0f4475ba2cf11fa4ce69294c593ee08b484f3958628ec80ada8ccde6cb0987a42906ec1b1a5c04d5d0a2c50f3c3b5633dd27845de59a67edc72df7ebc1c84aa8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
20f9c8ffb0344040af1e38e02bcb9017

SHA1
bbf2674972d87cfcebd66ce8ce20893b32423b92

SHA256
2dd331449436e4783303a73a24570c7c7f5b187052bce76a8f7f75684762ce54

SHA512
9ece8df37969ea1fd082953fdac7dc9a13e6b2799a4639349ab3e6655c05eb96696b38cf68b1cbaf65576933a4197283350cd99d26f305264e25c02584fb2fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
c0968a36faa25a571cd0fd73abf57504

SHA1
82d0b3714866d1304f9cc23222923cc1e036f84e

SHA256
ff791031075f9a8ffa4ec87309ec5bdbba50e51c5b56583744e6d62d1252aeac

SHA512
8c7a27a8e9f6f0c4e6e7479066dded714c05ab4629fbb409347fde52b8ee23bd1635b3b82900ac6b18fd66ec0ea635e601d1ebb2a14d0ea64fe8d0d2ee078463

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
99f38cc438af046eb0f4318c248ccbe9

SHA1
8dbb431ba70798344c8bf05eb6d2512831b8dd18

SHA256
054ba1d0d0de6616b0d9b454e39fbb8887ff2b1a0b5fee367405cf6828ce1efe

SHA512
4999897ce88246622196ed9efcbd49f19a0d5d80f6cc251b07d5ec9afaa459c2c8a8eb580d85c595a529713ea48ad9c85eda6c64a8fc12dc559172635603ecc0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
1b685dcf530bf80e01c6f57536316af9

SHA1
b05d88ba81b6ea1c358129ee7c05cdcf5583cc60

SHA256
acd343f1a568a1aae55311eb27c019b115465d4054853cd47912ac37e000101f

SHA512
a255ab06cccf682e00797ee10e43920e3c25806fc1a27c728c4333c03ae60de1a81d306c82e9dd28e5869fdb33b4d88ab455e38ab22ce19cc838a14de7dd1109

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
fdd3574ea2639ef3cb331e1361340f56

SHA1
0927496a5e798212b0063ab35f232182e8a1c5b3

SHA256
f625debf39572a1e212b32ff93713a15128b1cfaee15467c6b85fc5f21dd254f

SHA512
40013a973b550996a07a4c8a56cd07e23850ba1ba9612db25af212e75fb100e0940a0e30f567d2366899ad66370163b9091e646bb173a2a8056bb9737b74471c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
967f72e14b577ba475327eeaad319090

SHA1
cb153c2b45c36094b2e53862f1eabc17f11046e0

SHA256
693d84c1363ff0f082323fd0effb625b696129ed0b5f9bae752ee4ca73890470

SHA512
a672105aed64a504fc3055e68cec2ee222a7bdd5245a2bc1f80b078731069fff8819340ab0e52cd126b46c25297601fa8f4479ad039088461dc7805e13aca074

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
416b868aa8d8e7e7465bcf280395a827

SHA1
4f024157a75747d2278101b56ac69e3e2fc9ea15

SHA256
03773ae4f41a6eee6b46ce959de1bd3fe3728a1200ce537eeaee19690437bae6

SHA512
b9283b6d1d49c44bab3845613d1fb5892d6e15a699876d547355a312fe3fb7e17ee8c24bebd7bd73c781928c83ac459217129fb4587e61c11ec1b46703c58d7a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
eb84565ff08c7662688f785bf7a969e6

SHA1
d99b097553c7390f5bec829253147b5c2dd24d49

SHA256
976ccd2c3f7f9d90460278dea5dc099e51cc89146d00cef17336c15fb6209241

SHA512
2f8f3ca014d0a82b3ef29bfcb278ed3d939d4ba4f85d6baec79d8184e9033aa0e08ce547788e6ef62beff3b8dc44e22791d7731a02e84e20884b7475fd8f6683

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
60e33c0b88904d35dd12fabb275672f4

SHA1
989580fb3748b9c6640c441d8b3eed6d29956b46

SHA256
9804623613c434784aec27df94f25c6e934c8cf8a7ac5bf12c49a7240fcadb57

SHA512
71e6f11ffb1da967c9c222a6219ccaaed3efa85fdac6baecb0c7b37e100e57d42aea3f0aaf7779aedfbba39398d036817d61ea0ee42a296a0911ee293cfe8625

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4921e0d813f95098b906087fa5795854

SHA1
3870b6124f0976d5cb593d307c9233275ab7497c

SHA256
4b083052d1ee34eee819adb5bf2682c886372f104a7f25d9d1fdec3692c6bd31

SHA512
29021d3dcce2cb078889a8b3ee1b129855cd53c01824550b594b7181e6c3a70ec85e63090335d87d9e847989d5088c121b60e6f724bc314b87a8ee47811de34a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
3b465b1f511fb58d04c719db3ac8c874

SHA1
6134ce5e463bf82e2b1f5c4f8cb7871dec1abd09

SHA256
a9430462c9c0e9daf22df5e448a706f2b655b17710475cd5e9093adf9335fc89

SHA512
fdc48d648cee6ca28ec41b07d7fedbb73c269c77a7e6bffeb69cfa5bf5ca28727cd6805b5a83ccd58877b1112bd646f30906cb8debb1e7c6d15b9605619c71f1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
ed8944ce0fea4d5a03b23e547dd1a2a5

SHA1
cad99eef21174af77a9a281e38c08c41c4856ddb

SHA256
328fb5025f7b691c2c88a047124b4245b2bccbf2725b041104efcc9dd02b3758

SHA512
8620e0de6cc29777cd99dfccf67e394d2fb4dfb1087bba98ab722ed7737320f73cbdef48ffbccda5fec2fa976e19d59e4b21f6dda63bda0f831e07cf9aefef80

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
1.2MB

MD5
098adece9bcec8c7beebe0f2c8b06a11

SHA1
b428da0af4ee0af67a512f97a789b9cd3a6934b6

SHA256
08cde0a83a9da3d2c9d34671b09eee10da49a44fb93bce30775c8906850d9ef2

SHA512
131c47a0445926397423d8179db77dd9133ee435c6f67badc908d8315e2d2d397cef1f84bbc71e02086bdc42f713060869cc61db8d8ef318f0bca0aa61c89e6a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1488f6b44098a33792f032ba8eb2b2ed

SHA1
5e88bfc3c808273823a3780697ab59237dfcdbae

SHA256
9869ebe5dfb8c255b3a0b5a98cb340f3b5906ff01aa33e8fa44752560f364f62

SHA512
3093115c375e4638033d70d4799e54c35695dce4d46b6c3c543c2d7bcbeef932ea008d6ee95799ec5534a5d0e227c7fdacddf2f9239b17912c2d726a587da2f8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1aab9e06fb6c9f0aeccd4bad0374b32b

SHA1
3492a3eb75b2f9489d0f97e021d95f1792b934ed

SHA256
69019910140e3eaf8b0fb725202ce5227c4f740b360e0f3830818538db94aad5

SHA512
eabecaedf762681fd6fa0ef33a55b52fdbf06d9e5b55865e9037830c13b315d05708f226e1bd397a458fd58187a9a11e8f82bfacd3bfc158b0904442de0273c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
02d573bfe8b526e7600f9169315c7c1a

SHA1
3293cacd672403e2fdefe1d797582438ceaee31d

SHA256
d3cc15cd6e0fe89da3c9b54a0cea57ee96fe708f8e05c413f79dfabbe480d08c

SHA512
22c31e21a0eb71aadbc056e8f481b901c1ae2d44f692b48092be2d230f032c6ca91d588e934e24336bb7b81fba1b54d5b7e2b96a0785fdaf549c51d79b88ebea

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
11e0d533146339c548a76492704204b0

SHA1
e9af937c33e83f1240fa073bea03c6513b9eeca8

SHA256
d6bc2ba4f5a2450ae96af2a81485b45d01d3eb8043dd2220d8bdfe0ce9ed3c66

SHA512
5e173394cbb7f9ad366ae4a6fe68b2c08eecf506e4c58a4fdd7567db1dac0b41e916d18a0b2e11d32229fbd2bbf62accbf2bd0ff11bb4d43a5f4f77e8adf8e63

Download Submit
C:\Windows\Temp\Cab713A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7207.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
1.1MB

MD5
7835e60e560a49049ae728698da3d301

SHA1
87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

SHA256
df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

SHA512
b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
238KB

MD5
0a4ed78b7995d94fa42379f84cd5f8e9

SHA1
90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

SHA256
0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

SHA512
86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.8MB

MD5
9958f23efa2a86f8195f11054f94189a

SHA1
78ec93b44569ea7ebce452765568da5c73511931

SHA256
3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

SHA512
3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\0817dd144bd1703a16af65cf81ef80e6\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll

Filesize
759KB

MD5
37c49cf471f7ad881127f9e38bed1a10

SHA1
473c3a7a28d138ccfff0d971a1ce9360ab990aba

SHA256
9ef88d67461f4d91de1e16fab938d5561db9d04898d8776f9e716fdd52f91369

SHA512
e88e5b3b41b5763ed7de4d3ef40ec77144252c30d8d67f5b387b905026bd856e9d70889ccf9f78b0c0a7b0298ca8afdbaed133675001dc60593c6fbc31e93c47

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\19c2b79f666960d7a242a04c5d76f114\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll

Filesize
227KB

MD5
4ec89a4e8fe1b5b9916ace8dbabc0418

SHA1
dafec0baada7f2fa425978a5816fe852053fb1fc

SHA256
6c4f0f9775fbaf81122cba659cdd5449974810c772d51e152fc20016211988e0

SHA512
648704c9808193a045035858b68f7e98981da8c1c98f07e04afacb1b181beeb0bf7df9f42a563636093aff05f01f0c7faacdde0561e9e8776e914611f9f43b34

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\36c5a9d83dfb1b6b1c0202fb505c9daf\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll

Filesize
221KB

MD5
78c5a493778f578ef5517fe161162819

SHA1
faf377bdc739623fb5f111d51af97e8c78f11525

SHA256
aa332098d4073a4c4a654d16ec5fd0b6e2b1f284890057e164204d756095dd93

SHA512
6a905ef75d2eb909cd30c3916110f6b41a849ff4ed9f4c19e4d5f85ccf05d9b9dd009b351003386778801909d2628ce4c6cd9b1a54e3a0cd1ab9c5496f35cf50

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

Filesize
91KB

MD5
adc5887e89bc56694a193d92898d3518

SHA1
267f14c45a86d50ad627c6cb00626049e9c1ee20

SHA256
edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

SHA512
bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

Filesize
1.8MB

MD5
04a6857c04546270358d14398fde209e

SHA1
596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

SHA256
8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

SHA512
4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6348aa5d2bd39c221a41286e95c18b97\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll

Filesize
381KB

MD5
0811b25e0449e04f782127bc6f8ac5e3

SHA1
dc1766e20ee338b12fa80e3ce0052ef97ddf9e20

SHA256
20d8234901a58ec8ec24f2ce7048ac9e1e7381e3eae10cfeb1e002001d2c8b6c

SHA512
a3a07aa4263175688019597b0829b090ad3b8ff43c554b8c89e16b48de86fddab4be6217bce24ccce9cad0c98df1240a7068c8b55778d836c34d5326cbd9c8a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\74054b5793bfb8c8c0753b4d4aead8e3\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll

Filesize
947KB

MD5
b1aa17d171be82960213057ca35815a9

SHA1
6c68a8a2c524ddbe04395dfa613378bb311aa314

SHA256
c632156c276f9189d0f53addcc1043006d86188e3b74d9c4042ab2110b6cfd4e

SHA512
6f042aec9c74da86d15322d4300d93e4a9e69ad3555b302d42d7629dfa060209898b4569a380e9da1a785ddb53a6e0cc0f7543606f17ee467277990971c2fc1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9065d3bacc79e4f8123fcf133926574d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
fe09957d15b9977ddaddd07d5b602e6b

SHA1
4b0d294b9baa2b5df361a88f150170b8f6f8a423

SHA256
47656a3747fb7839422f96cb5468523123be8a308d97b57adf0af032255dccbe

SHA512
004bc2f3e2ed695f57d03b6647c7f68dcc848f68e7465c7a176d96b3e6c48754e74dd6bac4fdead188f6bfba5c4e94bac1c0c1c7bd9599a5dc4eddf7c88fe878

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

Filesize
483KB

MD5
aae5a97685a809d0a0f661f9319f8a12

SHA1
b5fdd4ec4cc057fccc868de4f4910be89e23e48a

SHA256
c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

SHA512
d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8bb1dd63a1537a2bd41d3675e04f0b4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
242786d17f8fa71550dcf8db115f60a5

SHA1
51c65a99834bc6c0a674552a67b6c3e4390dcfc8

SHA256
71ea14f06b8a11c416e41b2d6cc9426ca7a2974380e54c48670b327344b8618a

SHA512
ae3e75d4cf2b5a5eeded230f7c2253b4928c6f864a5fa36155cd8000bc467c990b3e6a0e1531eca6e79b03b7213a15d9fa0c6492d7c60cf148df4011c136c9a8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ad7d01564f0056d2476f6ae5d257356b\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll

Filesize
436KB

MD5
748bed51a810c033b91c660b5776ab95

SHA1
ec2616fb01949fb9fe4b0eea707f7095b69aa9e4

SHA256
45ee38adadeb1586532e8dd4baba14740ccb0801c2e21318c35268543e0ddef7

SHA512
dc0cce4c633b8e43d8f6d565fcfc73d79bfea375a79ae5057af6d3cc1b62f929e34c95bcfe2f7d378ec7f421fafdd9ab73cff454df0934e2d2f45a52580e9df0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b22777deb45f6aeebf6bc7753dd76eea\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll

Filesize
220KB

MD5
5c35887a0b76108f6fb6daac51256ef5

SHA1
3be6ece2f60d205bcb955a5da0aa182d83cc1899

SHA256
9f8de356dab305f2be5cf1f75934eb6b87072e1745ab5ee73ab4b319bb9a2b5a

SHA512
0d1d2e5dd3ec776fab85e8f3b8cde32718bbbb52463c2702a17336326570a2fd624b0e32fd98182bba8c25fdd57ba861edebc1f00cfa66c04ec1c8a6f10fcee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d0f10353907a24bfc267f2c0cabcba2f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
9ad2f393d6e917fde760cdfb8cc8f14b

SHA1
cd312ffa3e2eea618deaa700140a40ac5be6c3b1

SHA256
870dedcb359b4f3850a668dd97c9d10e497c6191114dd70820c62740d09609d8

SHA512
8f56aafe110d4fd7a22b5d31763c0f3a4519ba04146b437784fd51848590235da92c806c36fa09a5f17023f33655186a2321617c9efca645d1ee42cee60fdd12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\daa561280ac1119d9c2694442212aaea\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll

Filesize
487KB

MD5
aefa28d036740086ae52d157f245200a

SHA1
d502f55fa76c3cdb69c8ab97321cd9b9a4b68e55

SHA256
75127c1e3a30e544413d7eb24fd726bacf8c3a3951ddba1fc990ad00a7f1cc49

SHA512
3943c099644525fc2b3a50f843cc1612a003d4f92a9187b2fcecaaf90b33071bced0db4608a91bb59c6bf5d1f6f4eb158881bf78cced0597b7bc3045d9b66ee3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4C6B.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll

Filesize
221KB

MD5
9a7934ab591dc6f7d621bb96abfab0f5

SHA1
8e4811338daed15395c4bbd2451527d4dd77916b

SHA256
212973ac66144b31a555c459e8f7b0600a7506850de28144ab18cd2737b0a6ff

SHA512
a292e4662d394c251b1c7dad9e82ba6eb8a43f9135d5f0a26a3f4307abedf9e1a1926f358017d9695140f17776cc0fd0cd1be05a4e04af6c681b65e539bf1d5e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
df35e52365ba205ee8565ff66507ca0e

SHA1
55d9363e108aba5afbdc331e80b7e4cef0aeb00b

SHA256
a5de77c82e5fe56c3d52d29be758f6441bd3f9a7518232ddbe22bbd0fd317f21

SHA512
29019f61d3fc66965e7da63163d496d65ff356ed6dbf2fa623c2124a802b34bb1906528803467e5eca2cfb2e302f2510eb970999d788d8475ee69c5299e42f6d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
77069c07386891967fffb974c4190d4e

SHA1
ca80169ff34fccbb8aaffb3f35864629f9663a46

SHA256
cdd52c172083e2bf99a156fb7098586ecded31e031943b421146fdfe4f8bde70

SHA512
a68f682ebdad91fcb894030b44041954dc9bea15e65acc8b7de396658dd52b2e4e02009f2a6df46fa9d56b4661a3734ca001b48a7db3b27b884dc0739d3e11d5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3820d54336df8efb9160fa6f798d06d5

SHA1
8d0e2e9776643c1939f5a0c6b90ec4884dee31b7

SHA256
8944fa3be3c57d25ccc676a7db415d869cde7f75c6b7901345376f01d772a7e1

SHA512
3137e18191cdb5796ba7c98d6861361293cc5bc0bff830814b8d2b3783b89508ff31e2cdf3c31500f5162e7e91b70d69e96cbb8d4da081637f9f5fd69ddb7945

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
f2c1b1931907e30158f216a66c6d4deb

SHA1
93171ae068aa348b61ef5a7f9819aa5d303d4be2

SHA256
036d4127540935634dc0b93ee8e953a9a05f29b58fa783ef3b6ad942e5126c07

SHA512
59d8badb208a780b8a2f6caf59dfcedee30a2ab9700b2e8143d66aa9618be4ff3d6ff4192831c6209d8e13865d1e49312e0509ab140b5187ddc4cf67de212715

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5632389fb19ebe98c214fb3019e9fc05

SHA1
34acb4cbc00ffbdc7247ff65d1d9eaf5509d134c

SHA256
04dd7688f68527eb1d350e6c2b8ffae04217a7fbbfb6637025924cfd47caf48f

SHA512
691d60c65f74fb8acc630924fe67e244845ff290461b0f4f5743494bb80189599ed51a93d969b1d079969440144f0af8890a6f6db98e9d54d595eb5e7159c716

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
8d27035479a45539b0ad4662f8c68740

SHA1
8ff9d22cbcf32e2144903d1b7e2ed8a886afc082

SHA256
d64a4acb5be0500f287d09e9cd6baa36b95bc159397b0ad7c58ed2feaa42a00e

SHA512
0adfd90c1e38716606e20bccf374b8b0e4be4e33a48ac8f9174d16b4d98d49d96d1d668e6a845e817329a6f5672ea56e9c80f5cc11d0504b5d0ec5b15e155f42

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
002d9744a0080936be6baac8ae233929

SHA1
df456d86e4ec2b60881bfe8ea7576efb3b517851

SHA256
329fd27759f27bd295c9441f1ca604a1ef30fa8f9dd444d36b144999a60cef28

SHA512
c71b08d6856d44e3ec9a72a42b60032ab5cf0d94940d0cd1ca1a4106e089af9a3503abf8f8463ec366b0039351a2a9b0e45d28b4d45d60d95a046bf5e37d742c

Download Submit
memory/388-231-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/388-112-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/388-120-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/388-118-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/664-264-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/664-148-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/752-799-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/752-788-0x0000000003C70000-0x0000000003D2A000-memory.dmp

Filesize
744KB

Download
memory/872-219-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/872-97-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/872-91-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/872-90-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/908-592-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/908-603-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/928-668-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/928-682-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1360-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1360-277-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1384-873-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1384-876-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1448-703-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1448-708-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1508-666-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/1508-315-0x0000000100000000-0x000000010015B000-memory.dmp

Filesize
1.4MB

Download
memory/1628-278-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/1628-624-0x0000000100000000-0x00000001001AB000-memory.dmp

Filesize
1.7MB

Download
memory/1656-651-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1656-300-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/1728-732-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1728-726-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1728-819-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1748-306-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1748-186-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1760-780-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1796-754-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1864-204-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1864-78-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1864-73-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/1864-72-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1900-633-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1900-280-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1920-680-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1920-693-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2008-843-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2020-160-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2028-1-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2028-8-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2028-547-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2028-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2028-71-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2028-6-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2144-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2144-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2144-111-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2144-14-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2144-13-0x0000000100000000-0x000000010013B000-memory.dmp

Filesize
1.2MB

Download
memory/2172-319-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2172-205-0x00000000006B0000-0x00000000007F9000-memory.dmp

Filesize
1.3MB

Download
memory/2172-332-0x00000000006B0000-0x00000000007F9000-memory.dmp

Filesize
1.3MB

Download
memory/2172-202-0x0000000100000000-0x0000000100149000-memory.dmp

Filesize
1.3MB

Download
memory/2196-128-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2196-243-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2232-822-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2236-766-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2388-598-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2388-266-0x0000000100000000-0x000000010012D000-memory.dmp

Filesize
1.2MB

Download
memory/2520-854-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2520-865-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2540-655-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2564-46-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2564-47-0x0000000000970000-0x00000000009D6000-memory.dmp

Filesize
408KB

Download
memory/2564-39-0x0000000000970000-0x00000000009D6000-memory.dmp

Filesize
408KB

Download
memory/2564-102-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2588-767-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2588-775-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2592-486-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2592-228-0x000000002E000000-0x000000002E14C000-memory.dmp

Filesize
1.3MB

Download
memory/2612-578-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2612-239-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/2620-739-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2628-643-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2628-632-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2684-28-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2684-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2684-140-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2684-36-0x0000000000330000-0x0000000000390000-memory.dmp

Filesize
384KB

Download
memory/2692-685-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2692-333-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/2720-63-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2720-105-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2720-55-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2720-54-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2752-704-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2856-652-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2856-669-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2860-853-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2884-599-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2884-621-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2924-198-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2924-679-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2924-182-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2924-328-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/3016-838-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3016-830-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3020-809-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3020-718-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3020-791-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3024-591-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download
memory/3024-253-0x0000000100000000-0x000000010012C000-memory.dmp

Filesize
1.2MB

Download