Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 14:21

General

  • Target

    c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe

  • Size

    840KB

  • MD5

    7f89fc50bf17c10fe8473e708a513590

  • SHA1

    8286d45300ca29f5b14a3f1fa2d71d79af5cc091

  • SHA256

    c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecb

  • SHA512

    d23b93f2397ee12ade43bec967c5bd76a1b5c64427824a0b5d6fcebd9c39b9e7b8344e768a7d47b5eac0499797cbd46845020a47087693f513d379055eaed954

  • SSDEEP

    24576:mJIUY8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:mJIUYgDUYmvFur31yAipQCtXxc0H

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe
    "C:\Users\Admin\AppData\Local\Temp\c52b40238c49b54a25b8a2e1d3499e31e9229bc876702ecf8a4acf9fe0989ecbN.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1352
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1960
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2824
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2760
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:2600
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2212
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1132
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 1f0 -Pipe 1d4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 270 -NGENProcess 24c -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 278 -Pipe 1e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:564
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1628
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 240 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2340
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 24c -Pipe 280 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:236
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 26c -Pipe 288 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1544
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1908
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1772
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 208 -NGENProcess 1e0 -Pipe 1ac -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2068
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 250 -NGENProcess 1c8 -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2984
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 224 -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1972
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 1e0 -Pipe 1c0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1c8 -Pipe 20c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:624
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 1c8 -Pipe 250 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:864
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:764
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1b8 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:444
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 274 -NGENProcess 208 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1968
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 208 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:3004
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 27c -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:624
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 27c -Pipe 208 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2076
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 270 -Pipe 1b8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1480
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2868
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 224 -NGENProcess 270 -Pipe 1c8 -Comment "NGen Worker Process"
      2⤵
      • Loads dropped DLL
      PID:1720
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
      2⤵
        PID:956
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 260 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:1048
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 244 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"
        2⤵
          PID:2108
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          PID:768
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 288 -NGENProcess 290 -Pipe 27c -Comment "NGen Worker Process"
          2⤵
            PID:1968
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a4 -NGENProcess 224 -Pipe 294 -Comment "NGen Worker Process"
            2⤵
            • Loads dropped DLL
            • Drops file in Windows directory
            PID:2972
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 2ac -Pipe 288 -Comment "NGen Worker Process"
            2⤵
              PID:1512
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 224 -Pipe 244 -Comment "NGen Worker Process"
              2⤵
              • Loads dropped DLL
              • Drops file in Windows directory
              PID:2516
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 224 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"
              2⤵
                PID:1972
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"
                2⤵
                • Loads dropped DLL
                • Drops file in Windows directory
                PID:924
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
                2⤵
                  PID:1688
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 270 -Comment "NGen Worker Process"
                  2⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:2448
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a8 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
                  2⤵
                    PID:2984
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 224 -Comment "NGen Worker Process"
                    2⤵
                    • Loads dropped DLL
                    • Drops file in Windows directory
                    PID:1048
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 29c -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
                    2⤵
                      PID:2528
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 280 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"
                      2⤵
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      PID:2176
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2d0 -NGENProcess 2c4 -Pipe 260 -Comment "NGen Worker Process"
                      2⤵
                        PID:2096
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
                        2⤵
                        • Loads dropped DLL
                        • Drops file in Windows directory
                        PID:1368
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 280 -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
                        2⤵
                          PID:2952
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2cc -NGENProcess 2bc -Pipe 29c -Comment "NGen Worker Process"
                          2⤵
                          • Loads dropped DLL
                          • Drops file in Windows directory
                          PID:1612
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3056
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 290 -Comment "NGen Worker Process"
                          2⤵
                            PID:784
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2cc -NGENProcess 2ec -Pipe 2bc -Comment "NGen Worker Process"
                            2⤵
                              PID:864
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c8 -NGENProcess 2dc -Pipe 280 -Comment "NGen Worker Process"
                              2⤵
                                PID:2500
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f0 -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
                                2⤵
                                  PID:1720
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
                                  2⤵
                                  • Loads dropped DLL
                                  • Drops file in Windows directory
                                  PID:616
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2cc -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
                                  2⤵
                                  • Loads dropped DLL
                                  • Drops file in Windows directory
                                  PID:2016
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"
                                  2⤵
                                    PID:2168
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
                                    2⤵
                                    • Loads dropped DLL
                                    • Drops file in Windows directory
                                    PID:2968
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2e0 -Comment "NGen Worker Process"
                                    2⤵
                                      PID:2752
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 308 -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"
                                      2⤵
                                        PID:2944
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"
                                        2⤵
                                          PID:956
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2cc -Pipe 2fc -Comment "NGen Worker Process"
                                          2⤵
                                            PID:908
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f4 -Pipe 2e8 -Comment "NGen Worker Process"
                                            2⤵
                                              PID:2272
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"
                                              2⤵
                                                PID:980
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2cc -Pipe 2e4 -Comment "NGen Worker Process"
                                                2⤵
                                                  PID:1480
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
                                                  2⤵
                                                    PID:2528
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
                                                    2⤵
                                                      PID:480
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2cc -Pipe 310 -Comment "NGen Worker Process"
                                                      2⤵
                                                        PID:2212
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f4 -Pipe 314 -Comment "NGen Worker Process"
                                                        2⤵
                                                          PID:2292
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
                                                          2⤵
                                                            PID:616
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2cc -Pipe 31c -Comment "NGen Worker Process"
                                                            2⤵
                                                              PID:1788
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2f4 -Pipe 320 -Comment "NGen Worker Process"
                                                              2⤵
                                                                PID:2584
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
                                                                2⤵
                                                                  PID:624
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2cc -Pipe 328 -Comment "NGen Worker Process"
                                                                  2⤵
                                                                    PID:2172
                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2f4 -Pipe 32c -Comment "NGen Worker Process"
                                                                    2⤵
                                                                      PID:2984
                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"
                                                                      2⤵
                                                                        PID:2424
                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2cc -Pipe 334 -Comment "NGen Worker Process"
                                                                        2⤵
                                                                          PID:1704
                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2f4 -Pipe 338 -Comment "NGen Worker Process"
                                                                          2⤵
                                                                            PID:2272
                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 304 -Pipe 33c -Comment "NGen Worker Process"
                                                                            2⤵
                                                                              PID:924
                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 354 -NGENProcess 350 -Pipe 2cc -Comment "NGen Worker Process"
                                                                              2⤵
                                                                                PID:2336
                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 340 -NGENProcess 304 -Pipe 344 -Comment "NGen Worker Process"
                                                                                2⤵
                                                                                  PID:1480
                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 360 -NGENProcess 34c -Pipe 2c8 -Comment "NGen Worker Process"
                                                                                  2⤵
                                                                                  • Loads dropped DLL
                                                                                  • Drops file in Windows directory
                                                                                  PID:2972
                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 34c -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"
                                                                                  2⤵
                                                                                    PID:2212
                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"
                                                                                    2⤵
                                                                                      PID:2468
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                        PID:1992
                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"
                                                                                        2⤵
                                                                                          PID:3036
                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 304 -Pipe 35c -Comment "NGen Worker Process"
                                                                                          2⤵
                                                                                            PID:1236
                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 304 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
                                                                                            2⤵
                                                                                              PID:2220
                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 364 -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
                                                                                              2⤵
                                                                                                PID:2708
                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 34c -NGENProcess 360 -Pipe 2f4 -Comment "NGen Worker Process"
                                                                                                2⤵
                                                                                                  PID:2944
                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 384 -NGENProcess 368 -Pipe 354 -Comment "NGen Worker Process"
                                                                                                  2⤵
                                                                                                    PID:768
                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 36c -Comment "NGen Worker Process"
                                                                                                    2⤵
                                                                                                      PID:2016
                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"
                                                                                                      2⤵
                                                                                                        PID:1888
                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 38c -NGENProcess 388 -Pipe 368 -Comment "NGen Worker Process"
                                                                                                        2⤵
                                                                                                          PID:1804
                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 304 -NGENProcess 360 -Pipe 364 -Comment "NGen Worker Process"
                                                                                                          2⤵
                                                                                                            PID:2752
                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 398 -NGENProcess 384 -Pipe 370 -Comment "NGen Worker Process"
                                                                                                            2⤵
                                                                                                              PID:2172
                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 388 -Pipe 394 -Comment "NGen Worker Process"
                                                                                                              2⤵
                                                                                                                PID:1296
                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 34c -Comment "NGen Worker Process"
                                                                                                                2⤵
                                                                                                                  PID:2512
                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 390 -Comment "NGen Worker Process"
                                                                                                                  2⤵
                                                                                                                    PID:2992
                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
                                                                                                                    2⤵
                                                                                                                      PID:1472
                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 360 -Pipe 304 -Comment "NGen Worker Process"
                                                                                                                      2⤵
                                                                                                                        PID:2920
                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 384 -Pipe 398 -Comment "NGen Worker Process"
                                                                                                                        2⤵
                                                                                                                          PID:2064
                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 3b4 -Comment "NGen Worker Process"
                                                                                                                          2⤵
                                                                                                                            PID:1480
                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b8 -NGENProcess 378 -Pipe 39c -Comment "NGen Worker Process"
                                                                                                                            2⤵
                                                                                                                              PID:264
                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 360 -NGENProcess 384 -Pipe 3bc -Comment "NGen Worker Process"
                                                                                                                              2⤵
                                                                                                                                PID:2340
                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3c0 -NGENProcess 388 -Pipe 3a8 -Comment "NGen Worker Process"
                                                                                                                                2⤵
                                                                                                                                  PID:2248
                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 378 -Pipe 3a0 -Comment "NGen Worker Process"
                                                                                                                                  2⤵
                                                                                                                                    PID:2060
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 384 -Pipe 3b0 -Comment "NGen Worker Process"
                                                                                                                                    2⤵
                                                                                                                                      PID:1284
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 388 -Pipe 3a4 -Comment "NGen Worker Process"
                                                                                                                                      2⤵
                                                                                                                                        PID:888
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 378 -Pipe 3b8 -Comment "NGen Worker Process"
                                                                                                                                        2⤵
                                                                                                                                          PID:584
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 378 -NGENProcess 3c4 -Pipe 3d8 -Comment "NGen Worker Process"
                                                                                                                                          2⤵
                                                                                                                                            PID:1688
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 378 -NGENProcess 3d0 -Pipe 3d4 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:2396
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3c0 -NGENProcess 3c4 -Pipe 3ac -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:2340
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 360 -Pipe 3c8 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:1208
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3e4 -NGENProcess 3d0 -Pipe 3dc -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:2584
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d0 -NGENProcess 3c0 -Pipe 3e0 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:1512
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3ec -NGENProcess 360 -Pipe 378 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:2196
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3d0 -Comment "NGen Worker Process"
                                                                                                                                            2⤵
                                                                                                                                              PID:2008
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 360 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:3004
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3ec -NGENProcess 3f4 -Pipe 3c4 -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:2752
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 388 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
                                                                                                                                              2⤵
                                                                                                                                                PID:2812
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 408 -NGENProcess 384 -Pipe 404 -Comment "NGen Worker Process"
                                                                                                                                                2⤵
                                                                                                                                                  PID:936
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f0 -Pipe 3c0 -Comment "NGen Worker Process"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1532
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f0 -NGENProcess 3fc -Pipe 414 -Comment "NGen Worker Process"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2068
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 410 -Pipe 3e8 -Comment "NGen Worker Process"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2020
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 418 -NGENProcess 408 -Pipe 3f8 -Comment "NGen Worker Process"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:684
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3fc -Pipe 3cc -Comment "NGen Worker Process"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1772
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 410 -Pipe 388 -Comment "NGen Worker Process"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2892
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:764
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 424 -NGENProcess 420 -Pipe 3fc -Comment "NGen Worker Process"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2780
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3f0 -NGENProcess 408 -Pipe 3e4 -Comment "NGen Worker Process"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:936
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 430 -NGENProcess 41c -Pipe 384 -Comment "NGen Worker Process"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2920
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 41c -NGENProcess 428 -Pipe 438 -Comment "NGen Worker Process"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1208
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 424 -Pipe 420 -Comment "NGen Worker Process"
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1816
                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 418 -NGENProcess 428 -Pipe 410 -Comment "NGen Worker Process"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2584
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 440 -NGENProcess 430 -Pipe 408 -Comment "NGen Worker Process"
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2212
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 424 -Pipe 43c -Comment "NGen Worker Process"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:2892
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 444 -NGENProcess 440 -Pipe 428 -Comment "NGen Worker Process"
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:916
                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 434 -NGENProcess 424 -Pipe 41c -Comment "NGen Worker Process"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:1356
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 448 -NGENProcess 454 -Pipe 444 -Comment "NGen Worker Process"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                    PID:2672
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 454 -NGENProcess 418 -Pipe 424 -Comment "NGen Worker Process"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2220
                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 458 -NGENProcess 434 -Pipe 430 -Comment "NGen Worker Process"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2108
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 454 -NGENProcess 3f0 -Pipe 44c -Comment "NGen Worker Process"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:2512
                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 42c -NGENProcess 45c -Pipe 450 -Comment "NGen Worker Process"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:1728
                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 464 -NGENProcess 434 -Pipe 440 -Comment "NGen Worker Process"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:2624
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 3f0 -Pipe 448 -Comment "NGen Worker Process"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:936
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 45c -Pipe 460 -Comment "NGen Worker Process"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2376
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 470 -NGENProcess 434 -Pipe 458 -Comment "NGen Worker Process"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                  PID:2316
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 434 -NGENProcess 468 -Pipe 3f0 -Comment "NGen Worker Process"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:2820
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 478 -NGENProcess 45c -Pipe 42c -Comment "NGen Worker Process"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2760
                                                                                                                                                                                                  • C:\Windows\ehome\ehRecvr.exe
                                                                                                                                                                                                    C:\Windows\ehome\ehRecvr.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                    PID:2512
                                                                                                                                                                                                  • C:\Windows\ehome\ehsched.exe
                                                                                                                                                                                                    C:\Windows\ehome\ehsched.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:1704
                                                                                                                                                                                                  • C:\Windows\eHome\EhTray.exe
                                                                                                                                                                                                    "C:\Windows\eHome\EhTray.exe" /nav:-2
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                    PID:980
                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:404
                                                                                                                                                                                                  • C:\Windows\system32\IEEtwCollector.exe
                                                                                                                                                                                                    C:\Windows\system32\IEEtwCollector.exe /V
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:1280
                                                                                                                                                                                                  • C:\Windows\ehome\ehRec.exe
                                                                                                                                                                                                    C:\Windows\ehome\ehRec.exe -Embedding
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:1580
                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:776
                                                                                                                                                                                                  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:1656
                                                                                                                                                                                                  • C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                    C:\Windows\System32\msdtc.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                    PID:2360
                                                                                                                                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:1584
                                                                                                                                                                                                  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                                                                                                                                                                                    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:2756
                                                                                                                                                                                                  • C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                                                    C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:2644
                                                                                                                                                                                                  • C:\Windows\system32\locator.exe
                                                                                                                                                                                                    C:\Windows\system32\locator.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:2648
                                                                                                                                                                                                  • C:\Windows\System32\snmptrap.exe
                                                                                                                                                                                                    C:\Windows\System32\snmptrap.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:2964
                                                                                                                                                                                                  • C:\Windows\System32\vds.exe
                                                                                                                                                                                                    C:\Windows\System32\vds.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:1196
                                                                                                                                                                                                  • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                    C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:340
                                                                                                                                                                                                  • C:\Windows\system32\wbengine.exe
                                                                                                                                                                                                    "C:\Windows\system32\wbengine.exe"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:2536
                                                                                                                                                                                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:2504
                                                                                                                                                                                                  • C:\Program Files\Windows Media Player\wmpnetwk.exe
                                                                                                                                                                                                    "C:\Program Files\Windows Media Player\wmpnetwk.exe"
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:1656
                                                                                                                                                                                                  • C:\Windows\system32\SearchIndexer.exe
                                                                                                                                                                                                    C:\Windows\system32\SearchIndexer.exe /Embedding
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:2344
                                                                                                                                                                                                    • C:\Windows\system32\SearchProtocolHost.exe
                                                                                                                                                                                                      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                      PID:2676
                                                                                                                                                                                                    • C:\Windows\system32\SearchFilterHost.exe
                                                                                                                                                                                                      "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                      PID:1676

                                                                                                                                                                                                  Network

                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                        • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          706KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          fc921dc8bf5214d503bcbb0b055b87a3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9c650d3e258890f1d27b3eee655f841947170a5d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          38db85ee3fc917e6a0e9f887799a5a44a038b0a880ae8594292c6e44d7b8f453

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a141b527b5c1c76acbce0993eeea5df1b9f522f581bf149c1c1d1a42832a0ae52303afaaa0fcba60e3a2572ca8fc9fdad06833f767ead33b783b0c3b7815dd5d

                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          30.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c80eaf17611c49574d6370e31574fe78

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          48a092fe4fa79c28a33295908c16c59e2d0cdd25

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          6ed1b1343d64f985c757615815df7231a13a2c01d70f6139f33f780898960987

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e4a1cfb1abb27fc6fc5416a9ada8c732590fef22a257f2d589d1503dc7ee1e7404f5d8f2adca11b37da084dc6f64efa4c4f568305a8266ad3044f333a18f5718

                                                                                                                                                                                                        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          781KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          37f7a641ec4fe7842b7429ab58c5162f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          2ba6c6e4751ddd57771c895bd6d95a292fd348e7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          111e81c0c2330fa5df8723d9812bb60b1701ce5bf8a88f29a687b546acf2aed6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c02153ce9e25cc8b39d6f63b88b5fd9a243543f84ab87ab6a6d737349ec95ad04fb7bbbfbb661ff91f3b46921548505190720166c0cacd97cb02d5f7196b8d68

                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b49d36b82bf0914463d07e0b87462bb0

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7bf83d47fb6cb40d01e0fc68a3288d2b840f6f09

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1352ba52299b3f8475402a1113d2d341ed63f910af6f41973666e71294bb78e4

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          91c29ecf235c9c0963cbe5ae6a947447bfcde7434fa9e886600bbe8efd79bdff1bcdc27dba8e1fd6decfaf6409ab7421d37a9d3ac709d78340d499726806877f

                                                                                                                                                                                                        • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          dbb2d08f01bc017164e4206358666e5f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9bdd07706583e6426e6537e7f018a259153f1779

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f3cb4f90d625538ae73565a5e18e2a0f530e4d0d01b0bbc66d7433b4fba35e89

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c97c7dd421f9e1e19bb31702e113a0e43de08702a1d1b552227e2a49a3fdbcc5b6729edb578305de729538256e8390d4aa3dae60b2dbc733563b6d363815a9a7

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b1d02dc588e9aaea41d4c81357143172

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          49a0957f3a49b7448ff02039c8349004999b3bc5

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          85fd061cdd3b77fefb5b63636686f64289237ca7e49563a3da3ed3a1c0a76357

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          282a31fa61a5732e2113530d306300f14260db9346f9399dba764b3f9f8e70585a4f9670cc80cc8b956b96d2353b69abc23783bd524d6b1596403bf8cbfa2908

                                                                                                                                                                                                        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1024KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          112f463a3e73b504288222b01f601813

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7089aaaf6db3ab240e48b8bfb1730cda6e1d2814

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9a3fd5098e709ee06b6755df7cea6733e2aa8332f339938faee0e3d35afaa90e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          94de73b85541425e23a79a0a2740d23d39a976567c46d550df883b9c492128f71e69e9a10117c11dbd7c27cc4a8f68ee7abf9e34da05ccbe3a6a842547a41c4c

                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          24B

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b9bd716de6739e51c620f2086f9c31e4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9733d94607a3cba277e567af584510edd9febf62

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          872KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3ce755ad07e75937382687e9c9be340e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1194a374585b291f1902f983db8f0dc5554b5d56

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1e121c69b73f71e14fbd8896059e9c61be4eedfdc6dd28f7d26481d3c0e9893f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          aa13c213b31be7bb8d197ac59d4ee141c3e6a1fc3521cfc2f9edcdb163154b767b4af4dc0b3e496ffea0657cb57db677bc7fa7c274766d89103dcf544a831e6f

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          678KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          832e88d28290ec7c3bcc2ab067cfb743

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          158bb7f69c879a5d5638838a187a85157b2bc6e2

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          48c94f0f6d9bf39c21a57cccc75154f31e66ff422997ea44086dc54fad3ab719

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          11d4b9a1b70e0bce546c51eeed78c776d233113dc79a422e4890add9bde5fe6892ec21d3e802f9e4e66cb694eeb2f62c3ab04485754c8a6ac3a875bb728cba31

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          8KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          582f0b080696cff1791499b34f35b096

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5d0e30730511dd2ff8669d77d46941d4a196e0f9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5df53bb09229397da07bd8cc88489ce71f60dcfe6fe9a8b52ab72f4b9146f2ad

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a4add75b16f16a3cf38ea1cc52209631cfca7c5dc63653aadc2912984dd2ed70ddf9bd384e1b776c8c619f7ac1594cc84c0bb7deec2b3e5c9730cbb54f0bd33c

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          625KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6a9d24d42ccf6bf212b426bcc32d3840

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4381cf6d95092a00158253bc074b0c1df8d2f4b9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5a3655c5590625cfa48f87e664c6a58bff0399e3d8ca2965ac4b9df4041e0224

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ffa414b32c366fcb2dd06d1cac330880dba7fd3987c70115916e7cc0908977710474f66d1454765d9de25249de954c6b92603a2098fdac263f1b576b6ccd5e49

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1003KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ae8e2e26ad1b3b96f21339d6f3081594

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          95a9db6520a2f3de08900617428051ae013defd3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          11dadf560975dfef8c1e899d9c426144d48c55228d79eb95e5dea09a06442373

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          915f599d9d4cd861a9dcb081807ead70178a5c50c29fa79515acff95d86624c547bdec900edf652cc4d4e114addd06d7fecdd5ae7e2199dbe106584923cc114c

                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          656KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          de14dffee3262a574b26d2572c177594

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          44eac67112081f63065f3d2a97cc9f76e1239c74

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          510ddd2ef93e876c48273065f5fd7649fb108208013833c11459709c0a870f19

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          be0f2724c06618a88bf439e2e452a9c3ec8b1f2166c23ac41894601da9f244469b2b468c283a7370464e58103fe44b1c98ab03c7bb3ef74fe4465e1e717724ef

                                                                                                                                                                                                        • C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          587KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d7dfe1a9fb837321666181ce6ec834e8

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7a1828560ccb661c3745d516aa3a62dc4d0ecd4f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          533aa263372d0c1c5a91d511e1cece3e7bcac14fb65ea6c0dcb88c18160c6ab4

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1389dfaa6beb811ab57336e55b0f583bf6932e2d1e12117b7ab894bb762a04779594f3d9eb64ddfdc5f210077da3a66a81252ba93c3041898ce360cbea98327f

                                                                                                                                                                                                        • C:\Windows\System32\Locator.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          577KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c562a39ec0a8f0a2aa67ad364f66c166

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          65c08fe936acd6b308df6d0a54c7cb68142bcd7d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b1b03e25f262c702ccac08841e06faedc68095f53f9f9630d1bda98e32a8cec1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          22e8a23798cc66521e67a3a58ec5b041d755549c2a66835689c4880d2584a1b6279a90de70e10dbd34f59a8b03b174813773d1116b95ad98f6d37ea71ac0a8e5

                                                                                                                                                                                                        • C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3998b01f5cf156594278268e0497e29a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8ff60177898139f548318056f3fd31e06a84a49f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1b24760379eb744d7da352a414af76bdb25df7c9bb5c59016a2ac36230c2bfc2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a919206b605a0bcf4708b706d7768fd68c9bb2d05a70d4d95ccaf823509d3f015bc5a2f6c0973ece9ebac2a7bd343714881cda278bf1ac70949ceb8a8b1de808

                                                                                                                                                                                                        • C:\Windows\System32\VSSVC.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          48209548927af3d8f6333f6f2c561023

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          18ab40099f4017caa3ed615f897d943c5c3dfdde

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4542ea0e42224fd9f2b9b893142b4b0a26ee78a75c4242ec4f7218f062705683

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d07d40284778ab307e15a150d4ca804d9a5c5c343d54dcf1061fd9895c37fc992a92a15fde8fd10ff88fb0694a5c7481da2860624ca02b0ae24344948244ff75

                                                                                                                                                                                                        • C:\Windows\System32\ieetwcollector.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          674KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7f4489c33cc080d3e3b6f28569da4c08

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          8a43fe7ed82f8a361a71d9bf65eee5cfaebffcba

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5d5c27acc7629c4551d7e2dbe700e9b039ae52c774ba51a4d847610471949f3f

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          28a43be2bec2061e86e4aedffa8dee9e5fa4245b4b09a71cf7d7e1f90c106745717fc4098c00c4fbe86e19af5c7b21b0e2a413674c934f61c9f5d25325d1d677

                                                                                                                                                                                                        • C:\Windows\System32\msdtc.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          705KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c986f60949a2a35fe1104c64f898c1de

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b585ad8291f5c0f79b1392a7cbb7608ce3b2afed

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          8139123f4249fdf8e8f3d3529c35750f227d08361bb93c219711d411d757ea41

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          41fb8bcc59cb1bf9b570fa19cb6f549a78852462671af15021cb17b5684acdbddb225090add72cf97bc1d631ca624d12893463ea328f3a3a7c62cd5d510a55cc

                                                                                                                                                                                                        • C:\Windows\System32\snmptrap.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          581KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          e89f372ba48c524ee98032cf1fbfd71b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f8f1b19d15fe498b4cb274befde5d80923315e34

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2319f347147b2a1056e3bf40177d12961c07c13760e3f051c0d11b423eb589d5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f1e2c4484aeb2ad692f4aa19171c50aaddb8e7666f10260d46a8b8de1468c16a9716833009e7173f4d6365d99fe5133bdcd6590d6043dd547938b2d7c189d794

                                                                                                                                                                                                        • C:\Windows\System32\vds.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          69e0351b93b7ed33a029e6361f09142c

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          db260d83fb9670af5f39d0bbf28d14a804df5d59

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          45db5e724c364506d28afe6b67665d668212498dde4fde9ae7b45d278f87ced3

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a78e6b687f11b25ef1e8be9365ba4e92699d00d04b1b778c583c6ba982217de8bacac24182c147dbcf0fc066901d8e9ca53ae187b3a3a520f8102f7cf503f5fa

                                                                                                                                                                                                        • C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          765KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          44a64ae14d974d9e06de228f53d009c3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          087b4301fad507921b8ea6bf055a91ef54dae3ee

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f8ab1ab6bfa09a4b44033bbd9f5b378cf1bfec211b1fe4d9fec850bd66017a87

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          a2cd0cee1266784c8cb833a77abd2d68d784b4c8daf24425870111c519f81a12f9058daff74205cefd921dea231a543638731e1641f05aba1e22deaaf21683e0

                                                                                                                                                                                                        • C:\Windows\Temp\Cab2F5A.tmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          29KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d59a6b36c5a94916241a3ead50222b6f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          e274e9486d318c383bc4b9812844ba56f0cff3c6

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                                                                                                                                                                                                        • C:\Windows\Temp\Tar2FE8.tmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          81KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          b13f51572f55a2d31ed9f266d581e9ea

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7eef3111b878e159e520f34410ad87adecf0ca92

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          105KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          d9c0055c0c93a681947027f5282d5dcd

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9bd104f4d6bd68d09ae2a55b1ffc30673850780f

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          7835e60e560a49049ae728698da3d301

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          238KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0a4ed78b7995d94fa42379f84cd5f8e9

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          248KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          4bbf44ea6ee52d7af8e58ea9c0caa120

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          9958f23efa2a86f8195f11054f94189a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          78ec93b44569ea7ebce452765568da5c73511931

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          598a06ea8f1611a24f86bc0bef0f547e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          5a4401a54aa6cd5d8fd883702467879fb5823e37

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          58KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3d6987fc36386537669f2450761cdd9d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          7a35de593dce75d1cb6a50c68c96f200a93eb0c9

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          205KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          0a41e63195a60814fe770be368b4992f

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          43KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          68c51bcdc03e97a119431061273f045a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6ecba97b7be73bf465adf3aa1d6798fedcc1e435

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          198KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          9d9305a1998234e5a8f7047e1d8c0efe

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          ba7e589d4943cd4fc9f26c55e83c77559e7337a8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          91KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          adc5887e89bc56694a193d92898d3518

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          267f14c45a86d50ad627c6cb00626049e9c1ee20

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\52b55f04f393adf09fa60a0527866613\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          271KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          f23623bd982a6647b2129208e42458cf

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          9478d5c14ea8088ca77cc7d24575c66a4a0c5d09

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1d70e881aff97a72b9f5d8810ef71602f7b61bd83e26d74873da8d3e1168b58c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          97e774985916f9c6049999ee29420b0ff0d4b675c0b312190414dd6f2daf6865c7910469d7a417342fdfed6c6cdbc84112ea2600f7e3b496ad446a789e851461

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\584b97a64fc55f5ea5a368a565c49281\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          305KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          c6c1ab7948cdea46a2b8086e12bbaca3

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          faa86f94e053613f3b2c61165e3fcd6415e4d358

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9c9c67935ae3a05e1d264ba13be867efa12ef76ce36be992e03f2a98b1c12d1e

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4d461670b59815604f0a2dd5a68614f7d3748ba86c86d754e5bec7fca1c0a1ec96caef4e5d951bb7f53e9bc0ec13cd62b3ade819dbb465e4d050ec4f5722c4ac

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\585e8f83eff436c8156f071e8f2bdaa0\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          04a6857c04546270358d14398fde209e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          596a3e11ac6c303c679edfd6c30aa71e8eaf8a23

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          8eb8d5e0c2097d6fdae4b58cfde3e1be1dd6e59968891ac6d11efe8adf227285

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          4e8bfd6bf9463a004c17a897026bcc1b4edb0764c7e959f09a744d395e9885b24f8e869b78896218ce930562796a3a8e3a7f0a59ba11c8dfa32b0908c5706b22

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5ff0984e38725c84073b7ee077dfb9f6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          221KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          3431778d460f1771d07bb677246d61b0

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          f74cc178b2ba8bf734bf3bc1a7a40b742514b65d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e5dba9584b50c3e8e19b06a8067bfdafaa112553ca25e59be26020595b9577ea

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f9203ffa077ba16a26f5c8113825ce5410ecdeb1fe87e8d34d9a19b33ca58342d154ac5bc549d8442b941b492491de46308a3d927a9a3a1c3df9afa070ee6b68

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          70KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          57b601497b76f8cd4f0486d8c8bf918e

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          da797c446d4ca5a328f6322219f14efe90a5be54

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          87KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          ed5c3f3402e320a8b4c6a33245a687d1

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4da11c966616583a817e98f7ee6fce6cde381dae

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          82KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          2eeeff61d87428ae7a2e651822adfdc4

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          66f3811045a785626e6e1ea7bab7e42262f4c4c1

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          58KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          a8b651d9ae89d5e790ab8357edebbffe

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          500cff2ba14e4c86c25c045a51aec8aa6e62d796

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a8141e9e81e2c3bbf457e4980d4c2847\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          483KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          aae5a97685a809d0a0f661f9319f8a12

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          b5fdd4ec4cc057fccc868de4f4910be89e23e48a

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          c26eea914017a12af65dc7ebcbbf86d5a620de60f57e3660057163613f2b0233

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          d95c0635c587fe40e2c33cabf14e2893be49df06aebf2d40f4c0623f649e9abbd73a95cc5e3740db3b15df07406e36b1534781e63ee485e54671cfb21d3317fb

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          85KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5180107f98e16bdca63e67e7e3169d22

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          dd2e82756dcda2f5a82125c4d743b4349955068d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          298KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5fd34a21f44ccbeda1bf502aa162a96a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          1f3b1286c01dea47be5e65cb72956a2355e1ae5e

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f88037bc78f5b10ec69ac2d038b21175\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          122KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          be6877363386c331f861bfa265c0795a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4b8372793937895be97516376444c49b5c09b022

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          42842d87c3da50a07ab1925dc19fe64d8b6dce142c3cddec2bfe1db8c9480fd9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          85346feca78086eaacbdf6f970feb076246b7202fb92a77f43e411e07fef21ab9eff22e9b00a25d095e357118904a29f45a525452d14d03dc3370fca1343e8bd

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          43KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          dd1dfa421035fdfb6fd96d301a8c3d96

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          d535030ad8d53d57f45bc14c7c7b69efd929efb3

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          124KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          929653b5b019b4555b25d55e6bf9987b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          993844805819ee445ff8136ee38c1aee70de3180

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          10b5a285eafccdd35390bb49861657e7

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          62c05a4380e68418463529298058f3d2de19660d

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

                                                                                                                                                                                                        • C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          88KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          1f394b5ca6924de6d9dbfb0e90ea50ef

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

                                                                                                                                                                                                        • C:\Windows\ehome\ehsched.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          691KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          38162e7fa0c14144804a0cceaca8146d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          686a732740a8f849ba1a8c48282314a326952ae8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e5a203462ff89dabd037eec4f4576c544804135a2f9ccb6120fd10dfa45466d6

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          ff23ab061d5d0504eedd58ee052951377335df0ae48e96cf7d6857ec9d5cfc77aa91a79af739270044089aed04d6b7c37d8c1270b5abd3803bd9a950ebe39bf4

                                                                                                                                                                                                        • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          648KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          92500cb04e821c2aa5b80c3236eecd76

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          35909c9e47055205f50f8b5295a35970071c6a90

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          a9267144ac22c3352523c3921864c9d166df64b0c7b45ce5a73fb96abcd20571

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          f6ca332bbab1e5e14723579799277bab0878f6238f7ded62128edcfc72832940cc54f0d9dfcd6800b3139ebc1d826a92db0b87c39e12e431e48d4a9c8a1eb6a7

                                                                                                                                                                                                        • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          603KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          6339e09e96b142011db22bcc36407789

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a1bced86358952e770c8006628de4befe9b33ab8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b43ef89040b2c0b1972cb75b5b060a534ffdf1a4c005cf53ff3fef28587ff52a

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          365e3f8ade3371bb1408e3dbea0e016895b4a09c98282cb7382b8667ad08a2b1dffbd4d8d432b1a968f54bf2d7b8f07b38e6d044c8d092e710a7e3dc654a47c0

                                                                                                                                                                                                        • \Windows\System32\alg.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          644KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          8c284d941db97e859e1845fdd889ee5d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          6df9d24be62830aa71b3a9cf6bbc309faed9c85b

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          793dedcb80b38cd712683af9ae89f544cec43077b616e00128048d4918fbc5dd

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          3748035d8d05bf01dbdafe3d5ad5d304bda672b7348445ac55969a73890ca7929bde350ab278014688d14cd214951cb8bff8dd6c9bf79beb80e781b2965ff8f6

                                                                                                                                                                                                        • \Windows\System32\msiexec.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          691KB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          5ba545448d898f2c5ef8ee9f7024bc4b

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          3c9350219f8340c29bd3487ea62f22ddc75b1722

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          e0476a657863eb301826a982058b7c26a195ebf958848fc641a948a0379c27f5

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          84eb13a8cd6d1b0bd68e29025750216bcf940142614740aae77a2bb0301ef493379832f8a2bc8769b038b270924e9b80ed10759140e4d78e1f712354df05761c

                                                                                                                                                                                                        • \Windows\System32\wbengine.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          38875f544a73429405a641521e40fc2d

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          a8271f8e7c06d32fbe554ee03eddfd2a71441ff8

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          9a85c72b08fe2aee9d6797073f7ba95b96f896a5787740444341b2efaef28ed9

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          c71c3c242fead160ccf68373d308599ef8d8abef14a9b6b9665e91c98a6eecbbcd6dc358b7f6f91671ec72c79159b0f5de0c880409fb8df3a43aa5736bca56bd

                                                                                                                                                                                                        • \Windows\ehome\ehrecvr.exe

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                          MD5

                                                                                                                                                                                                          dd11e6128d16736fb08d29973548453a

                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                          80204b6e7683b8b4e1a3ef6868eb9e2834c857db

                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                          b62bdaabb23d82cc490d46b972b3674e54db4620c1b0d18705a2e27ed5960b22

                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                          7d9123c4e778f928cbedf5adbd57b7b3116dbdb5354c5976d1d8fe644941357c196b00bc57b600dce1ebef0880dfd4aad0d1eab673c6066ca0042616a0f50e71

                                                                                                                                                                                                        • memory/236-813-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/236-833-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/340-623-0x0000000100000000-0x0000000100219000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                        • memory/340-301-0x0000000100000000-0x0000000100219000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.1MB

                                                                                                                                                                                                        • memory/404-268-0x0000000140000000-0x0000000140237000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                        • memory/404-148-0x0000000140000000-0x0000000140237000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                        • memory/564-746-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/616-717-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/684-726-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/684-736-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/776-196-0x000000002E000000-0x000000002FE1E000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          30.1MB

                                                                                                                                                                                                        • memory/776-300-0x000000002E000000-0x000000002FE1E000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          30.1MB

                                                                                                                                                                                                        • memory/896-790-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/896-786-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          744KB

                                                                                                                                                                                                        • memory/896-785-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1132-696-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1132-684-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1196-613-0x0000000100000000-0x0000000100114000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                        • memory/1196-269-0x0000000100000000-0x0000000100114000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                        • memory/1280-160-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/1280-280-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/1352-73-0x0000000140000000-0x00000001400D6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          856KB

                                                                                                                                                                                                        • memory/1352-9-0x0000000001C30000-0x0000000001C90000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/1352-1-0x0000000001C30000-0x0000000001C90000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/1352-0-0x0000000140000000-0x00000001400D6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          856KB

                                                                                                                                                                                                        • memory/1520-830-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1520-843-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1544-861-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1576-714-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1576-614-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1576-627-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1584-212-0x0000000000540000-0x00000000005F2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1584-211-0x0000000100000000-0x00000001000B2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1584-319-0x0000000000540000-0x00000000005F2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1584-318-0x0000000100000000-0x00000001000B2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1616-679-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1628-759-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1656-184-0x0000000140000000-0x00000001400CA000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          808KB

                                                                                                                                                                                                        • memory/1656-326-0x0000000100000000-0x000000010020A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                        • memory/1656-659-0x0000000100000000-0x000000010020A000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                        • memory/1704-256-0x0000000140000000-0x00000001400B2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1704-125-0x0000000140000000-0x00000001400B2000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          712KB

                                                                                                                                                                                                        • memory/1728-810-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1728-791-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1772-598-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/1772-584-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/1776-880-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1776-869-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1828-80-0x0000000000330000-0x0000000000397000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          412KB

                                                                                                                                                                                                        • memory/1828-75-0x0000000000330000-0x0000000000397000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          412KB

                                                                                                                                                                                                        • memory/1828-215-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1828-74-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1908-877-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1908-883-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1928-784-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1940-685-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/1960-15-0x0000000000450000-0x00000000004B0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/1960-112-0x0000000100000000-0x00000001000A4000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          656KB

                                                                                                                                                                                                        • memory/1960-24-0x0000000000450000-0x00000000004B0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/1960-14-0x0000000100000000-0x00000001000A4000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          656KB

                                                                                                                                                                                                        • memory/2060-853-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2212-640-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2212-624-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2340-808-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2340-822-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2344-338-0x0000000100000000-0x0000000100123000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                        • memory/2344-670-0x0000000100000000-0x0000000100123000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                        • memory/2360-198-0x0000000140000000-0x00000001400B6000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          728KB

                                                                                                                                                                                                        • memory/2500-632-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2500-648-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2504-646-0x0000000100000000-0x00000001000C4000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          784KB

                                                                                                                                                                                                        • memory/2504-306-0x0000000100000000-0x00000001000C4000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          784KB

                                                                                                                                                                                                        • memory/2512-120-0x0000000000A80000-0x0000000000AE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2512-243-0x0000000140000000-0x000000014013C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                        • memory/2512-114-0x0000000000A80000-0x0000000000AE0000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2512-113-0x0000000140000000-0x000000014013C000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                        • memory/2536-302-0x0000000100000000-0x0000000100202000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                        • memory/2536-631-0x0000000100000000-0x0000000100202000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                        • memory/2600-63-0x0000000000420000-0x0000000000480000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2600-55-0x0000000000420000-0x0000000000480000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2600-54-0x0000000010000000-0x00000000100A7000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          668KB

                                                                                                                                                                                                        • memory/2600-94-0x0000000010000000-0x00000000100A7000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          668KB

                                                                                                                                                                                                        • memory/2644-569-0x0000000001000000-0x0000000001096000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          600KB

                                                                                                                                                                                                        • memory/2644-238-0x0000000001000000-0x0000000001096000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          600KB

                                                                                                                                                                                                        • memory/2648-575-0x0000000100000000-0x0000000100095000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          596KB

                                                                                                                                                                                                        • memory/2648-252-0x0000000100000000-0x0000000100095000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          596KB

                                                                                                                                                                                                        • memory/2672-760-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2672-773-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2708-595-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/2708-603-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/2748-667-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2748-647-0x0000000000400000-0x00000000004A8000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          672KB

                                                                                                                                                                                                        • memory/2756-223-0x000000002E000000-0x000000002E0B5000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          724KB

                                                                                                                                                                                                        • memory/2756-502-0x000000002E000000-0x000000002E0B5000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          724KB

                                                                                                                                                                                                        • memory/2760-41-0x0000000000300000-0x0000000000367000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          412KB

                                                                                                                                                                                                        • memory/2760-86-0x0000000010000000-0x000000001009F000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          636KB

                                                                                                                                                                                                        • memory/2760-46-0x0000000000300000-0x0000000000367000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          412KB

                                                                                                                                                                                                        • memory/2760-40-0x0000000010000000-0x000000001009F000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          636KB

                                                                                                                                                                                                        • memory/2824-147-0x0000000140000000-0x000000014009D000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          628KB

                                                                                                                                                                                                        • memory/2824-29-0x0000000000910000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2824-37-0x0000000000910000-0x0000000000970000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2824-28-0x0000000140000000-0x000000014009D000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          628KB

                                                                                                                                                                                                        • memory/2964-586-0x0000000100000000-0x0000000100096000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          600KB

                                                                                                                                                                                                        • memory/2964-265-0x0000000100000000-0x0000000100096000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          600KB

                                                                                                                                                                                                        • memory/2976-228-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/2976-102-0x0000000000A30000-0x0000000000A90000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB

                                                                                                                                                                                                        • memory/2976-95-0x0000000140000000-0x00000001400AE000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          696KB

                                                                                                                                                                                                        • memory/2976-96-0x0000000000A30000-0x0000000000A90000-memory.dmp

                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                          384KB