fb683e48fd742ca924d7739a3240fc69aebe2046fed5c6541660048a5a0e5775

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
Size

1.3MB
MD5

2f867dadf51b6b7cf90376be9567bb5e
SHA1

cbe2d37d085338c814c1adf880c169411224dc54
SHA256

fb683e48fd742ca924d7739a3240fc69aebe2046fed5c6541660048a5a0e5775
SHA512

ca0f893ed5a792865a644b2610387a0801b5e21df43c141b41f85b16ff7cb6c96dec96e7ac9373d11a7ada7306b5e03481d110deef4b507a4fbc447cb3a20531
SSDEEP

24576:A2zEYytjjqNSlhvpfQiIhKPtehfQw99qySkbged8sqjnhMgeiCl7G0nehbGZpbD:APtjtQiIhUyQc1SkFdoDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2688	alg.exe
2792	aspnet_state.exe
1600	mscorsvw.exe
2428	mscorsvw.exe
968	elevation_service.exe
1944	GROOVE.EXE
1656	maintenanceservice.exe
2336	OSE.EXE
2020	OSPPSVC.EXE
956	mscorsvw.exe
2100	mscorsvw.exe
2844	mscorsvw.exe
2464	mscorsvw.exe
2408	mscorsvw.exe
1672	mscorsvw.exe
2376	mscorsvw.exe
2116	mscorsvw.exe
2808	mscorsvw.exe
2932	mscorsvw.exe
2328	mscorsvw.exe
2188	mscorsvw.exe
1796	mscorsvw.exe
2812	mscorsvw.exe
1988	mscorsvw.exe
2424	mscorsvw.exe
1928	mscorsvw.exe
2108	mscorsvw.exe
2360	mscorsvw.exe
1716	mscorsvw.exe
2388	mscorsvw.exe
1100	mscorsvw.exe
632	mscorsvw.exe
972	mscorsvw.exe
2196	mscorsvw.exe
832	mscorsvw.exe
1836	mscorsvw.exe
1820	mscorsvw.exe
584	mscorsvw.exe
2808	mscorsvw.exe
1492	mscorsvw.exe
2060	mscorsvw.exe
872	mscorsvw.exe
2904	mscorsvw.exe
2736	mscorsvw.exe
2744	mscorsvw.exe
2436	mscorsvw.exe
2440	mscorsvw.exe
936	mscorsvw.exe
2108	mscorsvw.exe
1924	mscorsvw.exe
1452	mscorsvw.exe
2068	mscorsvw.exe
1272	mscorsvw.exe
1736	mscorsvw.exe
1728	mscorsvw.exe
2532	mscorsvw.exe
2224	mscorsvw.exe
2660	mscorsvw.exe
2880	mscorsvw.exe
1904	mscorsvw.exe
1276	mscorsvw.exe
2284	mscorsvw.exe
2032	mscorsvw.exe

Loads dropped DLL 41 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
468
2808	mscorsvw.exe
2808	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
2904	mscorsvw.exe
2904	mscorsvw.exe
2744	mscorsvw.exe
2744	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2108	mscorsvw.exe
2108	mscorsvw.exe
1452	mscorsvw.exe
1452	mscorsvw.exe
1272	mscorsvw.exe
1272	mscorsvw.exe
1728	mscorsvw.exe
1728	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
2880	mscorsvw.exe
2880	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
2032	mscorsvw.exe
2032	mscorsvw.exe
1176	mscorsvw.exe
1176	mscorsvw.exe
2060	mscorsvw.exe
2060	mscorsvw.exe
1080	mscorsvw.exe
1080	mscorsvw.exe
1996	mscorsvw.exe
1996	mscorsvw.exe
520	mscorsvw.exe
520	mscorsvw.exe
2684	mscorsvw.exe
2684	mscorsvw.exe
2628	mscorsvw.exe
2628	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

Processes:

2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exealg.exeGROOVE.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\269f6b7fae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

Processes:

mscorsvw.exealg.exe2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5448.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP564B.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66CE.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41B2.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61EE.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7687.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeGROOVE.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exemscorsvw.exemscorsvw.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2508	2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeDebugPrivilege	2688	alg.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeDebugPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe
Token: SeShutdownPrivilege	1600	mscorsvw.exe
Token: SeShutdownPrivilege	2428	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1600 wrote to memory of 956	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 956	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 956	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 956	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2100	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2100	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2100	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2100	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2844	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2844	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2844	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2844	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2464	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2464	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2464	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2464	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2408	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2408	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2408	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2408	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1672	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1672	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1672	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1672	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2376	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2376	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2376	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2376	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2116	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2116	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2116	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2116	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2808	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2808	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2808	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2808	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2932	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2932	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2932	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2932	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2328	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2328	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2328	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2328	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2188	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2188	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2188	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2188	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1796	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1796	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1796	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1796	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2812	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2812	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2812	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2812	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1988	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1988	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1988	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 1988	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2424	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2424	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2424	1600	mscorsvw.exe	mscorsvw.exe
PID 1600 wrote to memory of 2424	1600	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_2f867dadf51b6b7cf90376be9567bb5e_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1f0 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 258 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 274 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 284 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 284 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 26c -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2a8 -NGENProcess 1d0 -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2d0 -NGENProcess 1d0 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e4 -NGENProcess 2a0 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 254 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ec -NGENProcess 1d0 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 1d0 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2f4 -NGENProcess 2a8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2a8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2a0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2a8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 330 -NGENProcess 314 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 314 -NGENProcess 324 -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 338 -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 314 -NGENProcess 328 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 344 -NGENProcess 304 -Pipe 334 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 304 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 34c -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 328 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 354 -NGENProcess 33c -Pipe 314 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 30c -Comment "NGen Worker Process"
2⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 368 -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"
2⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 34c -NGENProcess 33c -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 33c -NGENProcess 35c -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 2cc -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 2cc -NGENProcess 34c -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2fc -NGENProcess 374 -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 37c -NGENProcess 33c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 33c -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 34c -Pipe 2cc -Comment "NGen Worker Process"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 374 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 33c -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 34c -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 33c -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 398 -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 394 -NGENProcess 33c -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a4 -NGENProcess 3b0 -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 370 -NGENProcess 33c -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 33c -NGENProcess 38c -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 34c -Comment "NGen Worker Process"
2⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 208 -NGENProcess 370 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 394 -NGENProcess 3a8 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3c0 -NGENProcess 370 -Pipe 20c -Comment "NGen Worker Process"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a0 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3a8 -Pipe 33c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 370 -Pipe 208 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3a0 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 394 -NGENProcess 3a0 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3dc -NGENProcess 3a8 -Pipe 38c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3a0 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3a8 -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3c8 -NGENProcess 370 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3f8 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f8 -NGENProcess 3dc -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3e0 -NGENProcess 404 -Pipe 3e8 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 404 -NGENProcess 3c8 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3c8 -NGENProcess 3fc -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3fc -NGENProcess 3e4 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 410 -NGENProcess 3e0 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 414 -NGENProcess 3d4 -Pipe 3f8 -Comment "NGen Worker Process"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3d4 -NGENProcess 3fc -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 41c -NGENProcess 3e0 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 414 -NGENProcess 424 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3c8 -NGENProcess 3e0 -Pipe 410 -Comment "NGen Worker Process"
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 428 -NGENProcess 41c -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 424 -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 3e0 -Pipe 418 -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 41c -Pipe 420 -Comment "NGen Worker Process"
2⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1ec -NGENProcess 1f8 -Pipe 260 -Comment "NGen Worker Process"
2⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 414 -NGENProcess 42c -Pipe 430 -Comment "NGen Worker Process"
2⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 280 -Pipe 438 -Comment "NGen Worker Process"
2⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 41c -NGENProcess 1f8 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 3e0 -NGENProcess 42c -Pipe 218 -Comment "NGen Worker Process"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 428 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"
2⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 3fc -NGENProcess 1f8 -Pipe 1ec -Comment "NGen Worker Process"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3e0 -NGENProcess 43c -Pipe 428 -Comment "NGen Worker Process"
2⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 414 -NGENProcess 1f8 -Pipe d0 -Comment "NGen Worker Process"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 444 -NGENProcess 3fc -Pipe 440 -Comment "NGen Worker Process"
2⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 280 -Pipe 424 -Comment "NGen Worker Process"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 280 -NGENProcess 42c -Pipe 44c -Comment "NGen Worker Process"
2⤵
PID:2864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:968

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1656

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2336

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
1.3MB

MD5
48c523b5dc288130233ead8e4763abd7

SHA1
760ce67a7cfea9c62fd5691027bd74ac60de39ae

SHA256
0e7591afb62651467056beb2c39174fb6f9bdf9ea2e758203025ce8d160762ba

SHA512
819d7ebabfe11bf2aa9f9abb555b50611f02eea8e9dfb0f71a88ad07e4961e1056a2cc7ef65c1d2b150c14f64a26852958afc5bdd2beafa81e14cbf7edd89d27

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.6MB

MD5
20cd5de94331592c58c534d32a27eb33

SHA1
75f5d26bc5961d93cdae51f3396347685b0ccdfd

SHA256
27424911c8f6e0792f3e192a717e68c3698a37007cfbafc33d724748115f430f

SHA512
fb1447bcca509cafe1b3f8f68b8c0bd3cb03add1052fe6b25b5f98bc0b668c56cd2049e9757f91f139a497b993dd531792f0fa3d5c768cd0a1e3d4a38594b282

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
1.3MB

MD5
3b49ff917e4f105ca1c6a33ef6814a0b

SHA1
8de7a16168b96511d32ac37339ec01c428d19b4c

SHA256
842536caca3afe57d2c330d85b710bf219ed3c0f393708985446e055b437ca01

SHA512
ccf1a2ca2e8b1b293585a9ee2de750532b44e2740969621ef99a96df932e40a08c2897999f8e164f81cc09ad5484837569e375c2d27f74e665119e4a1051bbd2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
Filesize
1.7MB

MD5
d7d81e3a4b5ca58bab9c9c547001c088

SHA1
b78033cc2324c6af4e56ca42cf57e8e468b9566b

SHA256
b5eb173fe7bfb25e355bc4546eb82d3cf9386db88c313220ae8db6b57d5b1e9c

SHA512
cb33b3498db5b89a726295993e09636604259f740587feef5a17d644e62afa9f239cd31db7846f2f8993bf82553b0c6600c0d9fa9e6a4a8bb4b3a1137c62cc3f

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
74e719c1667ead6d45d27218814ce8b4

SHA1
c400dbc45f7b1a6a2544a62541335b17ea5faab8

SHA256
63e0e53d81ad71726aaad885fef64017f968a0308ff52ace899ab67c7e68f7fc

SHA512
048f357774b65f4d8b2f7ed97d50c89bdf42f4453c2ea5bf82af376b8ffd8b25f8c0ba8f376bfeda7a52561e4b54b7781a1e7ead5375297eab50785fa05e5de6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
69962daa34f07a06e12c2723221b69c4

SHA1
89c9aef510f4308f16f58458a9526c29d2a84e20

SHA256
f0b808c008df2bbdc3176f8188869fcf35e932ebf85d0d99f355331086b34f4d

SHA512
3203634dd56eafe5f3699a20fb103fe479945fd3b2e2d602d657594f11d347628de1923d454bb6d5eda43bba32c09b6151040807eb1e6c58d14a8e570f0cdbfb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
c8bc22aed527e0595f5f973ab5a9bb29

SHA1
fd8c47b2a31a9fdc42ac58663201036dd741b4d0

SHA256
c290b4a752eb1b38e626f22eac836d17cd051f53b539e4a00f104e7f95eae798

SHA512
7983594b8ee0127c57300e73b3f0e866b3f787a73fd13f6ec319e9331c28b9b15560258c22387141a9465f43d74f2b4145ea5f0337da5aded4d9cbace8eb80e8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
1b70e344fc94631cf3b745738b411b19

SHA1
f775932673489b7c05bc640fc536a0c48d3b7477

SHA256
834a3cb00870cb858ac8269dbd9443773263060e2a28fbf2723b5df563210112

SHA512
c32324c73ec9319282143728c666ed6f283cdc7d6d323adc9146ea7ef37523c111fc1129228485b4ecb3372166e43743333491b7b22812b594a9b64113badb94

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
35cbd69868f23801132b9859133fcf96

SHA1
81df43fe0a2a938e462842c9e6389bb590c36dba

SHA256
171b929851e8722b3446c86e2a6c80e53263bb000a88e0c5b2272a0f0a73649c

SHA512
bca4fc6755bfa75a415f2a79fa706a035064e6609889b8616bb3fd5ac627fd0fd33de145fe307ed04fa49b971e462a3d4db4a4daad78e788de8378e1680ed571

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
8ee867fc64c04f8b734dda6750f002a6

SHA1
4f20aa09dfe36ed9b3c7739093057030ac934137

SHA256
d887cc8d85262d641e6b3e0e3822d48e2307c1c8bf0db5a86ab722e0ba435635

SHA512
603c52720907c7e1350d50a75585925593e43ef794bf40270b1145fb0c96dc1f47ee908b6ff7793ecce4269e0cfc856d1f305244754779f3d9516511a90c7bf4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
d384c2883e9f85494f6f02a0add6ca66

SHA1
9363c2a2dd1a23d9fae9a66c2d3c2dbdb346091a

SHA256
bb8a8afe8e7a3dc54c9ec54c20b2416f5c9e278b92fa9f633d15595e5c339c2e

SHA512
51f3a103e9c8810715a45c81373b2f70de26181f012af42e374e2c8497f3e949a0754ff9a7eb14c86c51312e29393303b1a5099d9f10e37af13030c02f47ed5e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
c76068806fdcece1750e934dd28ba097

SHA1
51942a940fe857400859da823b77df0dbb19b329

SHA256
fb1286bdba44629d64e564a25b4d2220f7dc5891d12c41fa63c9ebc0f0fc5548

SHA512
d7733f7b57077afbb199a824b83fc38160ec9e2b73ac81cef128d88c424a8891e5064a5cd7efa33956a6d9b6d4069d4839eab9efda06648a2f6f3146984b35fc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
8924afa03e7657c298018835cd5543ed

SHA1
6b239522c82fa0a5d5a2be3517b9d8ae3abb27c9

SHA256
1ca3b82b2a74ff62ca0710e607189461917d84b4661b4f317740e46b8d258c20

SHA512
6f5e018ae64cc9babfec53e8680ef2eebd42abd83ac3c0f6a0d41ad20006baeb2ca97c42a7c416d07554a17bbeb583c3c47e8211c6f1001ae4f442ef4caa7734

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
af9b2f79a5555c295ee5445aaa8bffcc

SHA1
854555df86a06edc66ec8efbe1f13f46a48c680b

SHA256
05da33b26b8aabcdd7f51de93d9a4113fa3d556571279aaa3fe1848aacdfa707

SHA512
008b296e7b6cf13db2915e97b30bdb375e3f25bf2506a486a74ef92c25cf4adade450b6996d113def9b9efc31f02d990c483c06e8032516e988cfc93f41a6e57

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
130407a1c2893ff49bbab84b1baa1715

SHA1
63fb08d3be1fd887a94eee723e05ecb96e2fea97

SHA256
787a195d59c637799fae87e0483a2a8878064d4cb185bf982431cdf611c4bf89

SHA512
06b0ddf9584bf7f080d107bf05608bbcf6811ee0bae106ec0ca30697c4ebcf6d300dd8cf4f6634f2b1e3cf3b845b9c1ae4d25608a8eeebbf11a6e331f189f4b2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
6158c5768c346e5b06acd5f6504c0038

SHA1
4c537e9484b5b45aa23dd140d61482e931549e97

SHA256
fe6960680b8da67d0a9c00b6dcfc489f8aab68bb71c6ea48d1c92ce06886c39a

SHA512
1079f28c5ac59b2ef75361742d21b1487127030d5eb841ac23592b03c4f0711eb1506f91d49d75f388f35c9fb45656516652b45688a2085dbc5fc594c6ff3964

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
5e06b65c9846548afa8287624037f467

SHA1
9c2c04c36207c220dab30efac69bcdd43be23238

SHA256
a94a7aba29ade9365cb84dd52911e444c461cc5b0472f239f4fd422ffdefdf83

SHA512
0e2e844afe296b399fca7921068627e4117c49134cec2b89ca0c01dc5a67664b192c81fa30b854ff82291c667399839239c7b0a8779c3fc9af4fa34c4310ee94

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
14f9f78a786b258e4b33f717da452f6b

SHA1
e42138f0aec136b6dfe1ee5e3f231f20e7b4af03

SHA256
2d7d53194950b8ea529991a6c5328fb02d8fe970078e9fb3d142529012feb09b

SHA512
55d320e0f0e6d214e6e2b65051df34ddf9c99b6ecce8ebf0b331a9ed53578b41a1790e7ecd0164b21cb755f3c463c9024d9c8e92aa6e271c4b63652e38afc012

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe
Filesize
1.2MB

MD5
6454958a757fb7d9ba18a1ef3ae35dc1

SHA1
144fd91a3b067f2356adf158b4072c9bc3fc4015

SHA256
9bc84d870b99342a39afd81b58d21673ebd1c98eecbffea9bc1a428682cf3bfd

SHA512
0e81ee7fd7edc95ed6213b145f08320eb14723581c9ad866fa176e2e40fe333322038be0e4e4e32f96324dfe8ac7e4c9d0a8189b329d25d183387347c97c885e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe
Filesize
1.2MB

MD5
7a0bf6f8fc254b95262a1b9ab6c5cdd8

SHA1
c7344836c8895746dec4dbd2991ee1e3c32465b8

SHA256
716e88f4d9707a181852290da946d4390de3232c82d665b7571ea23d4a0884b9

SHA512
6e37e4dead0e60c8fd5b53da6b916e0e07a9f69d0b0d243c3c66bd10e4a96295ad67e69e927cfab716b40b384e97d5f6972f63a7a4b88edc3872d3711803a770

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe
Filesize
1.2MB

MD5
05387fec5e8b4dccac807d2795f92a14

SHA1
5dcdc7e1a2119d4017c108a719252f13c739cdb9

SHA256
694571c569da1d01243766b7872cd9f08a995d3b910eaae9acf35c8699021a88

SHA512
b5822cf650463637eb8a3fac4de3b44bb4b96a2ef4381296f74fb12380e9e8d9a6b865c9d511bdac2d681055a2b07073e84dcf2a8632484107cbd3eaae4b3a8f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe
Filesize
1.2MB

MD5
26d85532c7058154516016340420672c

SHA1
02eef51dc7149015789f5c886ce5b2ea06fa4a3a

SHA256
6e671517b17c71e5c535ff31e9c2f8b9e8508dccdd80546219601938fac1c9c0

SHA512
1d78ff921adb823c7569bb685196de9b8e445da5657bdc2d5efffe9b4f5218804ba2465ae7c639b1511bf71de890c57d6df7e6725e4660030f2510753484cd50

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe
Filesize
1.2MB

MD5
fc9fe3f138ad63ee0de1a8182eea03a5

SHA1
361c8b3f8b49bc3bbb046a01a3d31de7940028d8

SHA256
3a5672afca67fdf7121a81a4526992f5a7e323e836c51ccf82ded07d5075246e

SHA512
012e67df4fc0f54a24a370e61626a38786498e75c6ff8fdf92f1f90129c0fcc5483431088eead909b176950d8a8fe0f5fe1cb01227612aa8ad74e28e02789afc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe
Filesize
1.2MB

MD5
0ae009cc82e6b4f843a2b8b0a7797805

SHA1
8b39a425691754aa3679c2d18dcc7b275d9efb8c

SHA256
69498a8dbcfa8aadf0590f637ba5ecff64065209d8ec910b21f44dc8a7ca3a2d

SHA512
cfd04e4f82711ee13b8609d3660d2bf89e01a5841255234f163e7e65c578523f1cb833cc824de2b458fb203a0e97737bb1157188249acb6f06a6aece659f1ba8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe
Filesize
1.2MB

MD5
ae084e98050d2bb78fd6021a6bfb404f

SHA1
34e6560fd3d183e74e044b3572ad09a89cb353d1

SHA256
d129dc33b862a9dbd9d6a3675f2e7327bbd2316dbb06fe71be90377b04c1da1a

SHA512
6b7b05287013484cca6facf7c3bd1907dbdbd4d9370a5dd9dff22c81f0cd9ba4c126b65f31e15e9df17bd6e01d9cd841260d66fca0ec83defefc021cd93d340a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe
Filesize
1.2MB

MD5
71b8c4c34ee2a2f813c9ab8fc4467f47

SHA1
ada86444492e219aa189a7724d9d3ddaf535cd1e

SHA256
9b76a3bed00a22e5aa99afda46d522ab01c254df0f26c957ee431a9e97e0339e

SHA512
c5a3b507ea4e42e90bd1aa2f28bcac8fb5499dff2303de84fe7d3fff26852ff0b606b7c8b89511af83d2c9330f387379d8a753d6f92abe04a631f71941c6f927

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe
Filesize
1.4MB

MD5
caea6bb6546bd326e932dc109ded85a8

SHA1
bff0e7c9c2532509667af0a5f18575f97365bccc

SHA256
365b3cfae99321a60d47f9ba07390436ac4d1d0b03fac188b2f7d2bc7f25490c

SHA512
ca2894bb938c57f5b1a6461995e45f4fa0aeb3e8b8a77ae96fbe75007b8277752b4d4c54ff19c2612b4fc37313018adfe8ee362598541ed7c72cadafccd193f2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe
Filesize
1.2MB

MD5
2013a9088e502dc8f9fc502dbad8a38f

SHA1
4fce492d5cd2e577ff931f084a684fd07445cd01

SHA256
dab4616741418a43347cead677dee0752e2af78cb4e7f51f891e74a02fa259e7

SHA512
9ca6f71034e0862db0c36e352f050950b4df168e8ad3ab6f014880e07820088d610688b902793b35fe8694fb8ed4b0bd63e748ad3a0b4b22698e90b5b571fbcf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe
Filesize
1.2MB

MD5
d2d3148e8d4376f4497a6761831057da

SHA1
21f44d890ea27fe23d0267d5c9caf2ae9c14ee12

SHA256
d71a42126e35747b7d7389fe9f9711d5b0cd0185d5328ec8e024f679924bf94c

SHA512
d7fe9229b51a27e06131677857fc6268ff466902e23c0d04efd4e93dd87f1b41f652990c2a47823ba1700dabd34043172317589cffc36abfbd79089665089c43

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe
Filesize
1.2MB

MD5
5ccc3026f8974a652a46359c091579e9

SHA1
6b69439535cc0df20aeffca4eebdab8e2aad97fc

SHA256
4ca42cf86ae9ce888b65b1cdada6b47dbe1d58a2d177f46050216c324a3fcf8a

SHA512
2b09b44f2a2561ce80702fa7cab05e8d3f3ed65d1b0b6e4fac18643bd12d8db2f1205b272a348857bd334449ab9632b7515819538f86a6efb461d7f76828914a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
5ece7d86b3bbb7a12597b77ea1907729

SHA1
4764e73d1e69e4e88e10d309b50aff05cb36e325

SHA256
b8c12a6e567685fec43b87d6d13ee49aefb523065dadc6541e22702d2d88e2e1

SHA512
14023562dedb6edf19aa228020033365bde46731e0d18ae95189c04f12e26ef83b380bc647dc1ae24a6d5331bb9850cc60b2faf246bf5b4cfe40f4176f91c75e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
a7bc1fe5b84fc044bf8c9a33d10b6092

SHA1
e0097a799a5e4498f7d116a5367c96189e95135f

SHA256
f3ac6981a0200bc884bba9e7c72d011834a6b9384a23bd6cfffeef410433b386

SHA512
39a431399d3a7930030e522e0034d2f8b5d21f4f51cd979e16bc966a5a7f617d5e8c4f131762729c838aabf81ef648243a5aa74ebfe25583439d6b9b9ff85cf5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
f16187654150c6cd9b072f739a9ae7d6

SHA1
90c5edf92a1d21d0fb627de4059f5cd520828b57

SHA256
95bcce34d95bdfcdddc79db5871a9369021bbb1b94dcdd21bc4ca36c3532886c

SHA512
8bdb39bbe36c62677f8f07a14ae36ed3b578039422a059d0d3bbd74d98f30b4a07b142c47b42079e954bde379da768b6a54822640e8081408e4381265ff85136

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2db09a4421fb3e52d9e906dcae43bd19\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
a0fd466cf10472c04551e058ef58a6b8

SHA1
0c926cf50235163c5ff3a786acd908c5eb0e9d40

SHA256
eff0063df63b0217339ec103483722d696da0f1e09b24efff3cca3b3c95056d1

SHA512
1f4c6bf82f79e1f7b1db783d60dc81fa60d10c7633a6e4c6d8b5886e1576dc8bd92295bbb108909e6472bba2845714bba6f3c0b1fc94a7afb43c9d02c17d1ead

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9cbc975f3422a4a07aeb38cf418fdf57\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
5eee4d5718e699e733643ffbb5ba71b2

SHA1
01c897b809ecc47c08d4185b02d46d2178938d94

SHA256
2faf5f01a525ec043a6982015f634e7e59d02ff52c56c7894fffdb2a82d16191

SHA512
164fbf40aa2836ab895c77775a37e393efc6f50e94dd7814d837b3d3ee16fbe91cee4786820b429607be0e2d7d18e89ec6f8ea5afcbc2bd46ca9bed8a56d2a35

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a1cee617f334468f62885ccb17740a46\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
c8685082b4c1c539a8bf9eb0130f09c9

SHA1
7f89d7c9c3793dbd5432eff402ac41fbe6bd6ab4

SHA256
17c88e01a985d547693765ae66f45a056bd9aa85677b96fa67c4858e3146f177

SHA512
595a1ab191650f12f34cdb9670e441b03ca87912aa559393375b9872050a5300b3ad0a74df21c2d4ddc020b501dc2cab52c9d12af18b3f5f252ef72ebb35ed5d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.2MB

MD5
60de2ea46123c42bafa62665b969703a

SHA1
9b715789358f0f9fb5eb57d656bfa1e9d25399b5

SHA256
29c54ed13463fd48db5720420e0fdfec3023307be478156d4f59ba3389f527cc

SHA512
a32eed910eca519a3ee5e19820a3f2ac6a734c05fded5c40cbfbad764c165c1ad088c38db11c937f4225d1a2db467479e42c4daa500bbb0725d2d86b2d141177

Download Submit
\Windows\System32\alg.exe
Filesize
1.3MB

MD5
490995b0a860483766db6949e1e49cd2

SHA1
002bf80a46980d59f18d40abc8bc7d8afa213151

SHA256
c0e057bd97a6828ca4633b0d0d9e621c76327bb7c35c46553a3a80c2b92cef81

SHA512
38f6db8fd05596ddf0ecda91df3a7e2b962438f4476f2e613c82ca8b040bd22f30c08b748509d196c56405066fbc1e09e6bbb4591f3a65fcb0defa6e2fd8fc29

Download Submit
memory/632-564-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/632-558-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/956-259-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/956-216-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/968-66-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/968-72-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/968-74-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/968-327-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/972-574-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/972-587-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1100-547-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1100-559-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1600-37-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1600-629-0x0000000001FE0000-0x000000000217E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-635-0x0000000001D50000-0x0000000001D7A000-memory.dmp

Filesize
168KB

Download
memory/1600-634-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/1600-633-0x0000000001D50000-0x0000000001D74000-memory.dmp

Filesize
144KB

Download
memory/1600-632-0x0000000001D50000-0x0000000001DD8000-memory.dmp

Filesize
544KB

Download
memory/1600-631-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/1600-630-0x0000000001D50000-0x0000000001E3C000-memory.dmp

Filesize
944KB

Download
memory/1600-250-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1600-624-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1600-625-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/1600-626-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/1600-627-0x0000000001D50000-0x0000000001DDC000-memory.dmp

Filesize
560KB

Download
memory/1600-43-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1600-628-0x0000000001D50000-0x0000000001DF4000-memory.dmp

Filesize
656KB

Download
memory/1600-636-0x0000000001D50000-0x0000000001DB6000-memory.dmp

Filesize
408KB

Download
memory/1600-36-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1656-93-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1656-98-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1656-99-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1656-95-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1656-87-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1672-359-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1672-345-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1716-534-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1716-522-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1796-434-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1796-448-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1928-491-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1928-487-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1944-85-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1944-344-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1944-82-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1944-77-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1988-461-0x0000000001B00000-0x0000000001BBA000-memory.dmp

Filesize
744KB

Download
memory/1988-473-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2020-118-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2020-383-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2100-260-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2100-281-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2108-511-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2108-499-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2116-387-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2116-374-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2188-423-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2188-437-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2196-584-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2196-590-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2328-414-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2328-411-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2336-103-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2336-108-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2336-102-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2336-373-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2360-510-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2360-523-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2376-372-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2376-360-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2388-544-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2388-535-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2408-348-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2408-330-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2424-472-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2424-486-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2428-57-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2428-56-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2428-50-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2428-316-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2464-317-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2464-333-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2508-6-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2508-1-0x0000000001E40000-0x0000000001EA7000-memory.dmp

Filesize
412KB

Download
memory/2508-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2508-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2688-204-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2688-19-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2688-28-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2688-27-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2792-33-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2792-215-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2808-384-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2808-399-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2812-460-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2812-449-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-320-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-278-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2932-396-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2932-402-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download