6e8336861d91952927423b2aa5f154f8baaf293875cd7b5944441f1ccf230b7f

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_4e210d035c4c0b387688a8a878858403_avoslocker.exe
Size

1.3MB
MD5

4e210d035c4c0b387688a8a878858403
SHA1

743679efcd38004c8b0ae0baefb6e80bfb008483
SHA256

6e8336861d91952927423b2aa5f154f8baaf293875cd7b5944441f1ccf230b7f
SHA512

19a002a6610171a0a5f7a6dcbcf7456fcba5868a26f53cdba6be2fa726ce0dbd96b026226bb756a00ac139e0d6d47d96292d89badfc371fa00c23dbccd1766c0
SSDEEP

24576:H2zEYytjjqNSlhvpfQiIhKPtehfQw99qySkbgedgTNjx+mZCkt76f/24pN+XNqNl:HPtjtQiIhUyQc1SkFdYf9Ckt7c20+9qT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2564	alg.exe
2792	aspnet_state.exe
2620	mscorsvw.exe
2960	mscorsvw.exe
2704	elevation_service.exe
1768	GROOVE.EXE
1216	maintenanceservice.exe
2380	OSE.EXE
1536	OSPPSVC.EXE
1428	mscorsvw.exe
3008	mscorsvw.exe
2736	mscorsvw.exe
2956	mscorsvw.exe
2828	mscorsvw.exe
1192	mscorsvw.exe
2644	mscorsvw.exe
804	mscorsvw.exe
2336	mscorsvw.exe
1144	mscorsvw.exe
284	mscorsvw.exe
1564	mscorsvw.exe
2260	mscorsvw.exe
1960	mscorsvw.exe
1980	mscorsvw.exe
2728	mscorsvw.exe
2468	mscorsvw.exe
1752	mscorsvw.exe
1148	mscorsvw.exe
2284	mscorsvw.exe
532	mscorsvw.exe
2452	mscorsvw.exe
2188	mscorsvw.exe
792	mscorsvw.exe
2252	mscorsvw.exe
1500	mscorsvw.exe
1204	mscorsvw.exe
2852	mscorsvw.exe
2768	mscorsvw.exe
2448	mscorsvw.exe
2452	mscorsvw.exe
2128	mscorsvw.exe
1608	mscorsvw.exe
2260	mscorsvw.exe
1408	mscorsvw.exe
2440	mscorsvw.exe
2812	mscorsvw.exe
2208	mscorsvw.exe
1404	mscorsvw.exe
380	mscorsvw.exe
2888	mscorsvw.exe
604	mscorsvw.exe
864	mscorsvw.exe
1016	mscorsvw.exe
1940	mscorsvw.exe
2872	mscorsvw.exe
1504	mscorsvw.exe
1500	mscorsvw.exe
2948	mscorsvw.exe
348	mscorsvw.exe
572	mscorsvw.exe
1856	mscorsvw.exe
2232	mscorsvw.exe
688	mscorsvw.exe

Loads dropped DLL 43 IoCs

pid	Process
476	Process not Found
2448	mscorsvw.exe
2448	mscorsvw.exe
2128	mscorsvw.exe
2128	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2208	mscorsvw.exe
2208	mscorsvw.exe
380	mscorsvw.exe
380	mscorsvw.exe
604	mscorsvw.exe
604	mscorsvw.exe
1016	mscorsvw.exe
1016	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
1500	mscorsvw.exe
1500	mscorsvw.exe
348	mscorsvw.exe
348	mscorsvw.exe
1856	mscorsvw.exe
1856	mscorsvw.exe
688	mscorsvw.exe
688	mscorsvw.exe
2560	mscorsvw.exe
2560	mscorsvw.exe
2344	mscorsvw.exe
2344	mscorsvw.exe
1400	mscorsvw.exe
1400	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
2640	mscorsvw.exe
2640	mscorsvw.exe
2172	mscorsvw.exe
2172	mscorsvw.exe
2868	mscorsvw.exe
2868	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_4e210d035c4c0b387688a8a878858403_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a098b4edc1bd2e0a.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAA43.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP671C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP67F7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP692F.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6D05.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP601A.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2088	2024-04-27_4e210d035c4c0b387688a8a878858403_avoslocker.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeDebugPrivilege	2564	alg.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeDebugPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe
Token: SeShutdownPrivilege	2960	mscorsvw.exe
Token: SeShutdownPrivilege	2620	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1428	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 1428	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 1428	2960	mscorsvw.exe	37
PID 2960 wrote to memory of 3008	2960	mscorsvw.exe	38
PID 2960 wrote to memory of 3008	2960	mscorsvw.exe	38
PID 2960 wrote to memory of 3008	2960	mscorsvw.exe	38
PID 2620 wrote to memory of 2736	2620	mscorsvw.exe	39
PID 2620 wrote to memory of 2736	2620	mscorsvw.exe	39
PID 2620 wrote to memory of 2736	2620	mscorsvw.exe	39
PID 2620 wrote to memory of 2736	2620	mscorsvw.exe	39
PID 2620 wrote to memory of 2956	2620	mscorsvw.exe	40
PID 2620 wrote to memory of 2956	2620	mscorsvw.exe	40
PID 2620 wrote to memory of 2956	2620	mscorsvw.exe	40
PID 2620 wrote to memory of 2956	2620	mscorsvw.exe	40
PID 2620 wrote to memory of 2828	2620	mscorsvw.exe	41
PID 2620 wrote to memory of 2828	2620	mscorsvw.exe	41
PID 2620 wrote to memory of 2828	2620	mscorsvw.exe	41
PID 2620 wrote to memory of 2828	2620	mscorsvw.exe	41
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	42
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	42
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	42
PID 2620 wrote to memory of 1192	2620	mscorsvw.exe	42
PID 2620 wrote to memory of 2644	2620	mscorsvw.exe	43
PID 2620 wrote to memory of 2644	2620	mscorsvw.exe	43
PID 2620 wrote to memory of 2644	2620	mscorsvw.exe	43
PID 2620 wrote to memory of 2644	2620	mscorsvw.exe	43
PID 2620 wrote to memory of 804	2620	mscorsvw.exe	44
PID 2620 wrote to memory of 804	2620	mscorsvw.exe	44
PID 2620 wrote to memory of 804	2620	mscorsvw.exe	44
PID 2620 wrote to memory of 804	2620	mscorsvw.exe	44
PID 2620 wrote to memory of 2336	2620	mscorsvw.exe	45
PID 2620 wrote to memory of 2336	2620	mscorsvw.exe	45
PID 2620 wrote to memory of 2336	2620	mscorsvw.exe	45
PID 2620 wrote to memory of 2336	2620	mscorsvw.exe	45
PID 2620 wrote to memory of 1144	2620	mscorsvw.exe	46
PID 2620 wrote to memory of 1144	2620	mscorsvw.exe	46
PID 2620 wrote to memory of 1144	2620	mscorsvw.exe	46
PID 2620 wrote to memory of 1144	2620	mscorsvw.exe	46
PID 2620 wrote to memory of 284	2620	mscorsvw.exe	47
PID 2620 wrote to memory of 284	2620	mscorsvw.exe	47
PID 2620 wrote to memory of 284	2620	mscorsvw.exe	47
PID 2620 wrote to memory of 284	2620	mscorsvw.exe	47
PID 2620 wrote to memory of 1564	2620	mscorsvw.exe	48
PID 2620 wrote to memory of 1564	2620	mscorsvw.exe	48
PID 2620 wrote to memory of 1564	2620	mscorsvw.exe	48
PID 2620 wrote to memory of 1564	2620	mscorsvw.exe	48
PID 2620 wrote to memory of 2260	2620	mscorsvw.exe	49
PID 2620 wrote to memory of 2260	2620	mscorsvw.exe	49
PID 2620 wrote to memory of 2260	2620	mscorsvw.exe	49
PID 2620 wrote to memory of 2260	2620	mscorsvw.exe	49
PID 2620 wrote to memory of 1960	2620	mscorsvw.exe	50
PID 2620 wrote to memory of 1960	2620	mscorsvw.exe	50
PID 2620 wrote to memory of 1960	2620	mscorsvw.exe	50
PID 2620 wrote to memory of 1960	2620	mscorsvw.exe	50
PID 2620 wrote to memory of 1980	2620	mscorsvw.exe	51
PID 2620 wrote to memory of 1980	2620	mscorsvw.exe	51
PID 2620 wrote to memory of 1980	2620	mscorsvw.exe	51
PID 2620 wrote to memory of 1980	2620	mscorsvw.exe	51
PID 2620 wrote to memory of 2728	2620	mscorsvw.exe	52
PID 2620 wrote to memory of 2728	2620	mscorsvw.exe	52
PID 2620 wrote to memory of 2728	2620	mscorsvw.exe	52
PID 2620 wrote to memory of 2728	2620	mscorsvw.exe	52
PID 2620 wrote to memory of 2468	2620	mscorsvw.exe	53
PID 2620 wrote to memory of 2468	2620	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-27_4e210d035c4c0b387688a8a878858403_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_4e210d035c4c0b387688a8a878858403_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 1ec -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 238 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d0 -NGENProcess 1e4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 240 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 238 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 238 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1e4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 274 -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1ec -NGENProcess 28c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 298 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1e0 -NGENProcess 1b8 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 254 -NGENProcess 1bc -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 244 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1b8 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1bc -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 1b8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 268 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 1b8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1b8 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 280 -NGENProcess 244 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 244 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 284 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 1b8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 244 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 294 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 268 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a0 -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 244 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2a8 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2b0 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 298 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 288 -NGENProcess 2b4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b8 -NGENProcess 298 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c8 -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 284 -NGENProcess 2b4 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b4 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 284 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 284 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 300 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 298 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e8 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 318 -NGENProcess 314 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2ec -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2cc -NGENProcess 2f4 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2cc -NGENProcess 2ec -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 334 -NGENProcess 324 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2ec -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 324 -NGENProcess 334 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2cc -NGENProcess 344 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 344 -NGENProcess 338 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 318 -NGENProcess 34c -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 354 -NGENProcess 2cc -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2f4 -NGENProcess 34c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 360 -NGENProcess 344 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:3008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 334 -NGENProcess 338 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 364 -NGENProcess 324 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 324 -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 36c -NGENProcess 338 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 368 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 360 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 338 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 380 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 364 -NGENProcess 34c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 384 -NGENProcess 36c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 34c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 36c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 398 -NGENProcess 368 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 380 -NGENProcess 338 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 38c -NGENProcess 384 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 364 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 39c -NGENProcess 398 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 36c -NGENProcess 3a4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3ac -NGENProcess 38c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 398 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a4 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 38c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 398 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 38c -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3b4 -NGENProcess 384 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3d8 -NGENProcess 3bc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b8 -NGENProcess 398 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 42c -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 440 -NGENProcess 430 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
c33ecf480f6334457c1187fa4042b8d4

SHA1
dd303e303f5f05d4906a962c91dbbfdb69fe8f0c

SHA256
51ac11681618491eb6b325524c184d9382e546e66a8a33e66638d036514d24a0

SHA512
008d81f46bd0533f531a9b16135163de68df490509eec146bc750435a38621c0da1b806124d8567cb520631684f2ff77db3f7832f97e5cd5c9fcf571d0a6b0a9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
7cead241eac82e45dadf6e4112ee890f

SHA1
6ce70ea2af382bda907c4095640abe5909b1444c

SHA256
4c638659273a81c452ca9c4ad1de17e660c67feaab4566be0def19107fb4b2b2

SHA512
4421d7985e79b794f554ed1918800c668b745028cbecd1f4e6a8545c8eaefd6b85868bb7b46103f40598b9969d4b93c6f1b11b3dba7b62e7d6fe9c87d9571419

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
d2bc7e368357886e7f1f6e33a7596846

SHA1
9c3cb96fa035fb213ffc0c408f12294667b68ba7

SHA256
7ea38aa2b8aeb014e4737019151e357c7e4420bb4ae7c554ba9f1942b2e282c4

SHA512
4cbeae2dfcff43b52a0894879ae06c739d17210740d0786e332d6dbd3108b61f960c4000d03006e269da9c040dfc0eed33b45f126ebe8171ff2f69c6a96ac89c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
6a94de8d5be1c515dc03c9b06e96d153

SHA1
56dacd64812327f755eebe59a7359109da97bf8a

SHA256
c3a46fcebb51628da3eee91d8db242e45afdcfdcfc4d735c1d02059f52c434a2

SHA512
23649eba390f3f958fd6af3e539e86ab83d24039bfec1d34c9ef8e47282803c5ef77f1eb1cf0ffdedb4b3580765c42ec8acde55e6294de3f08d4c22a742ef024

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
5aff01d67c8729e366c5770a051841ea

SHA1
8930b9b42169fa2bef7061d9906de210a224591b

SHA256
e455996edf26a1047c271a67106e66001819ae65b1a9087b3cff8018ef1febde

SHA512
f1e4a68055b225dcdf03758be74c98aca9c833dddf04c5596fca19ebbc57c77e60f9553f1ef4fc83e90de93b23981f1fd07d75943f78344968af08e6dbbf6616

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
cf20fb9fe96f32ff539b6cf1605762a7

SHA1
15bb4168ef282e332fd827debb3937e837200c3a

SHA256
02d27f48fdc1c419bc06964682546de41bc3b357551f3433a76fcc0bf830d3a9

SHA512
356ca52d63df71e28b094aed5f1a2a8e5b73e6a3a958b5dc4f49a785b0316c290ed7ce7c2fe91e91bcac5c78585eb33f879af182868510a67ac9da0610f00c8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
bdb10d99f918c492796e36c69e0a770a

SHA1
4e45bcdcf37aee346b770e2bb80f696f58a58ffc

SHA256
9509f626e7e8f8f033adc62b36c88dcae52dc929cfbd1a8084790751539ecfef

SHA512
cdb075d3a2a9f468149261b019b113de6eea2b60e6fe3abb5ac113d3fdda74f638de59ad62f6bf3c951ac5696e8a033ed443867f1adc2842cc907bb0777a8cb3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9ce01e40ec3f82d763d69dc6bf1b27ec

SHA1
426e0290fde58c636178897a4d09dd4e75bf71d3

SHA256
d8eb9f77140d369da8963e6d77df3279217e99f03208cfad5837372573dec0b0

SHA512
94575810747463884e5599ce496d7663d728c28ee2caf1d903f240a107fa2317710c474614645cda3f756e409c688f0c8fb96143882face1b75b5446c7451b93

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e0479fdd2383f45f000fb64814a23ee8

SHA1
eb147f192b34acebc5c71db9886504d7249886ac

SHA256
2ac84ac185ab5b0668405ef87c6bb2f5d9ec33bf3e9e667f066c23af38299c00

SHA512
22507489cfc0b3f0ce13ce5525a0b6370eebcc4bc2bbb50fdcbb7e9559a8f06a17f55834c511ce81b237769448c813fdeb3b99f9464ada7a4d13aedaa57ed711

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e5dec0abeee6832822281cedfb089817

SHA1
0e282646574c0849243fba10d2a0bb6a99dc5379

SHA256
2ae0ae6f177a05983a47ce36abf1bba0ff3dd6a07681a85cab0404c2832d14d6

SHA512
2b3507e31e7460c14c95f5d6af208a4ac4a289fadeac9b21db9c76190f4b30dc16a33cd6f352dc6ea9914aec976aff4232b35c785cd3f0595d76991c1a4b2101

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0748206534273e486b36f45fd91dfb8f

SHA1
e6bb01b479f19e8d3706ff51bb6b0ca01593a6ec

SHA256
d2242c8f6227d05552675a977fcf806d717512f2022cce525fdd28b7e9ddb56a

SHA512
74ae01d4557d1556600cddf135f6a149757e629ae3c1b2349159a7c1a3ca017b3637c5714d0962af1a3fd3655706e14faaa966b3936b57bb7e73a11704758b3a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
67169f3de2c43c9ea73c3fdcf64b96bd

SHA1
1f6a4c4f9bace3f3a68079a6a026d71695771f4a

SHA256
c3d0b9b01b2e6d1f5c63ec4c2034af6d487818383f5fa3b3b9fe669e0c72341c

SHA512
c0c6ee84430d931b4063da3ba982a1b04f45e27eda6f62f704e37a62e452b0eefd831c9ffc9cb9bad51a5988c20a7664204677d7e6f0c2911f342b88912c915b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
10f41f3d7d127f404493e481ce2aa9e6

SHA1
e6d940f92f4789d5f33bd90a3c01ef88bacd6e8b

SHA256
4ce971d7924fbc088faeb2f707cc010729f3af91f76490a7c3313ccc3a67d51b

SHA512
6fa288daff4a953a3e5d86731a1415f2d348080f93429bb95dc8d1785e6e44dbc87c0116d4984f863e9f405b2429873ddcf5911efbeb9b9e70b17a020239d936

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
5fbdd917f9bb6e182ed3354a9fdaef31

SHA1
48347dbc39f0e57e0308f38276b4cf76c1a8417e

SHA256
b0e1f30dc1d75a9b878f968b7546fdac2ebc820487d82ba04560009c832643bc

SHA512
638c74b4da16b1d76541962e4b86916344852c5adaa21875a7b3d1d7f53b1f9764880b349e089a5df753fc9843b0ee33c1135f219e6a7da84e3e8dab9d9f0588

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
64887d5a59a550309c4d020f7c0dc9ed

SHA1
11f0de855329724afb2b5c475a4b1466d3d5aecc

SHA256
d3e3f2d49582314ca2e3db974a6317a54724b96c5a7b15f302e3540e574b0b51

SHA512
204ed15b981159db0e0cae8762769ca12a2aa12ceb188b5d752beb7a4caa9e4d5b210f1092e4ceb89fe4be3ac4ad90ca774ad381f4e7e68064ba951b5b5cf4ed

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
067c50e3323356ee6775a27e73227c97

SHA1
83e87d802143cdb0fc12427a1a9c4808765e43d3

SHA256
594dedf7a4cfc62fc85270d9c165c69167a98fab9ee7d954c7011977c9e6a2f9

SHA512
5aea68bddcdcf3ecd37830b336315c9df73f685b56125a7c4648a7242bb0076d72616bdccee9dd3f0b05723346d3f34405fffed831dbf95a7cab7fad72e93dba

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
12f0e56bfe5685d0fea7300a6ba0a4b5

SHA1
d0ee0c4a8c126cc9a677bb7e98eca42c6b9c8c10

SHA256
bde5f16cba24f62a90864797b3a9275da52b80d8fd84e103a8108fd9b804c2d8

SHA512
2c5c23dc25af39c5df4dd90bcf227e25fd143e4864b68fea23a07a04b2f2d9ba0e41313cd770df2c9094481be013860ee8baa9fcbd9ff337a6c52c19618b5060

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
63c56298b32d287a6db65188f72e2f0d

SHA1
8d698d49561ec4945232da0054d86cb5fb291f6a

SHA256
800337b572ec20ebdf880b256493dde71488e37f10952caea618fa193874a255

SHA512
dd499fe0b4d756cbfe9fe8e3994ba3bb9ab5b57373d7eec851e24b69aa7c5acaf6e254a8231f43f449d36c360f9b46915cb6e0db50119f9f6681fe762d30a64b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
5cdf167575fab3af21d3ee240adbe02a

SHA1
3c80dda3ce3c9550878c26da137953d272acb040

SHA256
8408ea7f585b6b8f9531aa0354a3683b1adfd7a2dd8113bb11e9b88ead1004a0

SHA512
525ccc8a715bd27592d98000e699acce21af417fb6da06cae54131180a3490acba485abc80aaea6bb63161f010875869c1144588ee6cb4a36fbfc7e95b3718b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
5af12ba7797fef062ee638efeb54106f

SHA1
e85f14d40633ee1c2237cc08a065a2badcc81605

SHA256
6fe2cfe49dd7f5c43c00cf1d92d8355df495d1d12482084df20ba0df1e0ff193

SHA512
96d691653e58e360972cd8688df40e4c490d3f31f7b306c65c3e61538e442b4bd4bdb971970ff1880e3c22b268edae9062208f0d0eff0971b910247c6da2ed8a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
410bc84745117ecebe6dab67cb6c479c

SHA1
f88b1248bf284d75d286b1e736eea65bff06e933

SHA256
a47a961ef1cf0ff5833d13f2992c6896085101c0e8a4f5d7b8851dd76a970506

SHA512
7d6f3cb3375587fcd52a31f2d95493af26240b44cda84f702bcf73c99f6bd661ef284fe09e3098ec0ad06f250851f8f2bd68949696516677b0e92e4b1b3a53ba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
4dcf227e7432fc000dcdeeca1509408f

SHA1
8772e04c3e3cbe33412c63edf4eb8649d50fd00d

SHA256
c01fc3846f49939a08f217268f5adb50ed35edd73680cd10b2ff9f459bf8def7

SHA512
dea5d4baebd366b172c6836ba6370c34762e269393066a62210ca8eeebe1dbd920cd17902f98cb7becf27505e0d6f6a5f51e79a5eda50655d2ddde30809de8fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
3c4f3ce0214db034de50533c25ba0b5d

SHA1
8ed3afaae4e7f6868b606f68e95c9505e6021b78

SHA256
a425875cb43bfb0ad8297e68e3618ce3222d4031a5502dd32b1ffbe5f4f14e5b

SHA512
6562c0cde0587cd368cf54e69f587538e047067e1454aa553f720095bcae9f889a25303eef232bb8bb6f93a51e64725dbc32c2974bcb1f099d7a766b0b9b1f09

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
a35c66762f7a3815081ebd2db09c1169

SHA1
b682f5ded89cf9d5038553c93f24fe2785370bad

SHA256
cc01741244bdc81a3006e8c2dc9b2e8301bbd0e0d4dc43de57e0ba591a058abe

SHA512
0dac43b1d4f636ce3ee403a2d4ad0fcac0e9eb3f35b501478da4d70a91885760286d013a189173a98219987902269686d54739d5131152d7a485c417d723b20b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
ac8a12d8dd1792f5dbd8d94d8ec4c447

SHA1
1dfc716613f7ea646620ecf97705111bfbb93d23

SHA256
4ace575ee9fb3eac2e34f8a696c46bbee3436aac25f61e2ec45f3a762bffd6c0

SHA512
3dacc6eafe32ec8c411238fce3c9490896fb09a7a543cc7670a4e3c80d609a55cc301ad2d5df413601e1f5a0ea238fd228408f30db4a3d01c666fff09c01c061

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
3cbd8a333870446a5dced39b129942c9

SHA1
effb4318194febe2d64c7772241ffcff8bc18b3f

SHA256
a9df6b8d6f85fae14d0865f4efbc37046baf180bbab3b93b2a3eeb83af6bf252

SHA512
53d6cae528b14cf8519e4247bb6964c484b29c78747c218a31d308483117bc0696a50b79f967457bfdae9c2ae091158cc007c0126f5570fe1b7e6ac28ee1e525

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
f31323a624896732f18b4be2b5d7fb22

SHA1
b79269d82bcaf693b99ea27bef7aacfdff758287

SHA256
580dd7baf0a3a92f55f78d04c89014557b53466430f935968d21a89cf219e214

SHA512
37a18e68325c06515987dd52d2071ac1d3406ed092f604f0a4efdb000d00d82ccc48b09d98cc16aa9aad9a3ea94713f97c754c547d2a6d954298d16226ef135c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
e87bb1e7faa7bd30c2fdaaececbcefeb

SHA1
aae569c20497e38c166c4c12bf2c2d2c076a1296

SHA256
ad42e70dd5f9f9fb4c506c53bff990ad5dad9a1e399abc03c3965eccc49446d3

SHA512
83ecdbdd15806f79accf1169845c493866e117d731103420244c4f607d081f0d687720389885a971e40cc69122b0676849ab6ff1255b62a52cfc33f4abff5a8f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
c2c8a0d69bb7c84542b9838bedb976df

SHA1
bb4a82085782b3445b1a86a4102b2c68650318b3

SHA256
1e9932609adc58672302b1474e9812baedc770ba1a9ce2c3d6fbc1f8e0a7d0dc

SHA512
928934b33602673e52fd4d4c74e9945322cedf69f88b03bc1d8123373c917fead756ea643baa662ed0ea3ece9fe48941be6c9413840fcd78520f5272b623360f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
639KB

MD5
a32430204d2cddd35adbcebd010c4144

SHA1
a618fbe846737c921bd6f0964b1b671476871e52

SHA256
11e62a4b50f16ffed32f350b4c1b6a51207a57e962e46c0656fad55763c01423

SHA512
f7483df5450b5ed978726505e90c9d28550ab94ffb05b8db42fbbd22e4076508794d6f1cc4776187177e28caa3e94e445abc6e0deb1ea9b11d059ad88d03644c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
89ac2c99fa538fc33a2a6a1779c48d68

SHA1
d1415db7e1c2fece4a8109f4fecb5ce7fa30234b

SHA256
41f3ac92ed8bab181a73cce8dc9e4d4c0a5be159eb0871c67f48b999780a7013

SHA512
fbdf18e04592f676e3dc2cd6213ceac169428e84e0bd4b13657f7750649d748161c5fceff17b1a5ebb650c3388f17e32c928f5abad5a5d9290c58bc0c2202e35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7f48a62bdb77f7d01c30a8f35df035e7

SHA1
039a45dbaa5936806d0b98c41dab65caa858e17f

SHA256
54fc2095beee2ae9ac4b38e74817ecd5b548832ec593822582dd77643cd588c4

SHA512
b15a1f740ae0b97f71f9871c282298635db3e5853e02ed5d23f550d7f05d1806cba27924a0165778531778ab47d55cf7a7623d1400313afad310121f19a8d359

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
082be58ba4dfc22c981f11b96e9a52a5

SHA1
11610e2e5fcbb04b7b4e19b874a1cb710a2f1b2e

SHA256
df7920c3edbc1d2541d6d3912162eda3ac9fe137e73e9708de282fdf0dcb02d7

SHA512
23ef20fc861a48b2e8da3eecde928d70d8342b831d22ab9ef37a7ae830e36030d5b3693e936bce1648d16e5e1af8bcba93726387bcfb99f4d847487b7cc5b5c3

Download Submit
C:\Windows\Temp\CabDF38.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar705.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3da183dfa42f1cf0aaa459fb9b8d3cde\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
d36c1092e9d4b3e642d4bcdb90bc4342

SHA1
4474d2eb17417f401b93d625399395439799d86a

SHA256
2801c1f3492b5000241e9081aac238765402d3a57231b4bbd21f25bba622750a

SHA512
bc3501b7e664ace8532b96f629fc1ed3fc0a0f0809932e72daf75e7b5a404ac9861664296f084395772dc772d62759293f454949ca501df8ab2a9e2636e23b41

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4bc103efa366a0a0e95f10606b271193\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
0a55b7de63c9193ebfea5b84d854f234

SHA1
dccd6270117955522b463d918d1510944dee38d8

SHA256
cf5247fb85985632c557eb548e5675ee23683c2a30b69917f5eb7120da068e43

SHA512
4bc4eff0e344eb84c90c6a16a8ce0e988060bf288579267df5823f5d83eb344202fe3f8fb4d597fe579ebd3ae02da1f3f2ad9a1c67c1c155d73684cdeee9eb8f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\66ffb89e86d4fa51f14dfa6015ccce43\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
2e36b846d3cc8ab67d8ce843e4471c0c

SHA1
c1c404ace88b7099780c22d871561d89ed9fbdf2

SHA256
4ce5f54ca2c7e6e390e5fe9cb4471ccb9570545671e83fb8fd0a5fb0acb1d09d

SHA512
15cad78b0120c851477c756227baba28b9e686d85d418c7cefc83620339d11c2a085c9787b4c315675addfaabb04a23c5877b90e60567216b7da4850e3e2dfc2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ae4be8b56b80759fe978ee6f5c047f11\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
3aa7343e844377def8ed9e9771dd6f39

SHA1
ba20c938b620174f478845073bd4ffc9109d5933

SHA256
68a168accb10c58005b3a0e7c0fea24a4ec99b5cd74057734e33130539b63e5a

SHA512
49dfd5002feea30d2b7966785d328a7a21c9b670cb2651b94725a0ad45dd930c6eec58c060502a9d76b364846f78118f4de04bc4e84969ff57d232ee3456172b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
54e955f7cce76d05ee7e84b876c34ce3

SHA1
d9ae0145c2768b45980087b9ed20665d01c3ea83

SHA256
43469973edbd99ed60d020021948c6c79387d3ec94d00c57f1f0c1ce1eaaff0e

SHA512
a57ff5d9e7a43d2c2ae968a11048a164a8e60ceebce8c1f5bdf3aaea4008cf2657dfeeb51ebee57eece67351fc0cb53a21a9de34547a4bbf01ae2c685adbbe92

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
10581d61052fa7d907181a84e1bfb601

SHA1
47a84074559027f2ead16772e39928e4461856ef

SHA256
32c5b754a58307caa9a3047916906f1aab961429f93799b549e028c90a872a79

SHA512
d0c7564720199da27aec7baf3717e8eb141c20e592a5e3402a12257e7be57d97a80985efe7ccb1d297c56b3125a66dfcd3865ad3d8a7e963702504cd84ea81a8

Download Submit
memory/284-423-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/532-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/792-572-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/792-577-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/804-383-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/804-387-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1144-408-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1144-412-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1148-519-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1148-515-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1192-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1192-358-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1204-630-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1204-643-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1216-100-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1216-99-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1216-96-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1216-94-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1216-88-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/1428-288-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1428-302-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1500-626-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1500-632-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1536-122-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1536-395-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1564-436-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1564-431-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1752-507-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1752-501-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1768-78-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1768-83-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1768-85-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1768-357-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1960-448-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1960-459-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1980-478-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2088-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2088-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2088-8-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2088-1-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/2128-722-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2188-565-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-554-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-587-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-447-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2260-435-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2284-535-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-400-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2336-396-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2380-110-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2380-382-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2380-105-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2380-104-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2448-683-0x000000001ADB0000-0x000000001ADBC000-memory.dmp

Filesize
48KB

Download
memory/2448-687-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/2448-684-0x000000001ADC0000-0x000000001AE08000-memory.dmp

Filesize
288KB

Download
memory/2448-685-0x000000001AE10000-0x000000001AE26000-memory.dmp

Filesize
88KB

Download
memory/2448-682-0x000000001AA50000-0x000000001AA5E000-memory.dmp

Filesize
56KB

Download
memory/2448-677-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2448-688-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/2448-698-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2452-711-0x000000001AE80000-0x000000001AE9E000-memory.dmp

Filesize
120KB

Download
memory/2452-699-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2452-547-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-553-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2452-710-0x000000001AE60000-0x000000001AE7A000-memory.dmp

Filesize
104KB

Download
memory/2452-709-0x0000000001AF0000-0x0000000001AFE000-memory.dmp

Filesize
56KB

Download
memory/2452-708-0x0000000000E40000-0x0000000000E58000-memory.dmp

Filesize
96KB

Download
memory/2452-723-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2468-491-0x0000000003D20000-0x0000000003DDA000-memory.dmp

Filesize
744KB

Download
memory/2468-495-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2468-483-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2564-103-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2564-19-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2564-29-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2564-20-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2620-281-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2620-37-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2620-45-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2620-38-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2644-374-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2644-368-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2704-335-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2704-74-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2704-73-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2704-67-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2728-482-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2728-470-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-322-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2736-316-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2768-665-0x0000000001990000-0x000000000199E000-memory.dmp

Filesize
56KB

Download
memory/2768-666-0x00000000019D0000-0x00000000019DC000-memory.dmp

Filesize
48KB

Download
memory/2768-668-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/2768-667-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/2768-657-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2768-680-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2792-277-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2792-34-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2828-341-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2828-356-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2852-644-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2852-662-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2956-334-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2956-330-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-52-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2960-58-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/2960-51-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2960-310-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3008-308-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3008-303-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download