4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67

Analysis

max time kernel
143s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
Size

1.8MB
MD5

97b926ea52fbe1e921f34b314ce6bd5b
SHA1

ea9f3413aaa4925cda8c379e1901a3c146fb5675
SHA256

4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67
SHA512

8c49c306e04be7b8e2e8cf983251988eb92bba460005ca8ea836ba72884cd78d6afb474e0b653bfd6607b2029a9c6b9f532c79cc6cace79abf075782deb04da9
SSDEEP

49152:2x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAegFIDRRAubt5M:2vbjVkjjCAzJaUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
2924	alg.exe
1012	aspnet_state.exe
1372	mscorsvw.exe
1116	mscorsvw.exe
1976	mscorsvw.exe
2508	mscorsvw.exe
1100	dllhost.exe
2960	ehRecvr.exe
2896	elevation_service.exe
2076	GROOVE.EXE
2424	maintenanceservice.exe
2464	OSE.EXE
2680	OSPPSVC.EXE
2804	mscorsvw.exe
2428	mscorsvw.exe
1576	mscorsvw.exe
2992	mscorsvw.exe
2620	mscorsvw.exe
1664	mscorsvw.exe
2008	mscorsvw.exe
2548	mscorsvw.exe
1176	mscorsvw.exe
2812	mscorsvw.exe
1080	mscorsvw.exe
1740	mscorsvw.exe
2944	mscorsvw.exe
2056	mscorsvw.exe
1584	mscorsvw.exe
2956	mscorsvw.exe
2648	mscorsvw.exe
2364	mscorsvw.exe
2288	mscorsvw.exe
372	mscorsvw.exe
2796	mscorsvw.exe
1048	mscorsvw.exe
1180	mscorsvw.exe
2704	mscorsvw.exe
2060	mscorsvw.exe
1892	mscorsvw.exe
1772	mscorsvw.exe
952	mscorsvw.exe
1064	mscorsvw.exe
1124	mscorsvw.exe
2880	mscorsvw.exe
524	mscorsvw.exe
2916	mscorsvw.exe
2496	mscorsvw.exe
2120	mscorsvw.exe
2908	mscorsvw.exe
2740	mscorsvw.exe
636	mscorsvw.exe
2288	mscorsvw.exe
764	mscorsvw.exe
2020	mscorsvw.exe
1064	mscorsvw.exe
2420	mscorsvw.exe
1220	mscorsvw.exe
1796	mscorsvw.exe
2044	mscorsvw.exe
2072	mscorsvw.exe
2016	mscorsvw.exe
892	mscorsvw.exe
2280	mscorsvw.exe

Loads dropped DLL 42 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
472
472
472
472
1124	mscorsvw.exe
1124	mscorsvw.exe
524	mscorsvw.exe
524	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
2908	mscorsvw.exe
2908	mscorsvw.exe
636	mscorsvw.exe
636	mscorsvw.exe
764	mscorsvw.exe
764	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
1220	mscorsvw.exe
1220	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
2016	mscorsvw.exe
2016	mscorsvw.exe
2280	mscorsvw.exe
2280	mscorsvw.exe
1636	mscorsvw.exe
1636	mscorsvw.exe
3060	mscorsvw.exe
3060	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2600	mscorsvw.exe
2600	mscorsvw.exe
2672	mscorsvw.exe
2672	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
2420	mscorsvw.exe
2420	mscorsvw.exe
1984	mscorsvw.exe
1984	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

Processes:

GROOVE.EXE4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\feb63df6ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exemscorsvw.exe4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_pt-PT.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_ur.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_id.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_zh-CN.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_bg.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_iw.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\psuser.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\goopdateres_hr.dll	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8E5B.tmp\GoogleUpdateCore.exe	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7436.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP57D1.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB857.tmp\Microsoft.Office.Tools.Common.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D5C.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4C226AFE-D103-42E4-BD97-2394D0F93BCD}.crmlog	dllhost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A21.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4CD9.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68A2.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7197.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP821B.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP846C.tmp\stdole.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exemscorsvw.exemscorsvw.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1400	4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeDebugPrivilege	2924	alg.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeDebugPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe
Token: SeShutdownPrivilege	1976	mscorsvw.exe
Token: SeShutdownPrivilege	2508	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 1976 wrote to memory of 2804	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2804	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2804	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2804	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2428	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2428	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2428	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2428	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1576	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1576	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1576	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1576	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2992	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2992	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2992	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2992	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2620	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2620	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2620	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2620	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1664	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1664	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1664	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1664	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2008	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2008	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2008	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2008	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2548	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2548	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2548	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2548	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1176	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1176	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1176	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1176	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2812	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2812	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2812	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2812	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1080	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1080	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1080	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1080	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1740	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1740	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1740	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1740	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2944	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2944	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2944	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2944	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2056	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2056	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2056	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2056	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1584	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1584	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1584	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 1584	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2956	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2956	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2956	1976	mscorsvw.exe	mscorsvw.exe
PID 1976 wrote to memory of 2956	1976	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe
"C:\Users\Admin\AppData\Local\Temp\4f0c5bd2f81fdfda87be8e6701362d14e2ed919e98e402d801c42e388bc4fc67.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1372

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 250 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d8 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 278 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 270 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 278 -Pipe 2a4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 21c -NGENProcess 298 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2cc -NGENProcess 29c -Pipe 2c8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b0 -NGENProcess 2d4 -Pipe 21c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 2b8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 298 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2b0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2dc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2d8 -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 304 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c4 -NGENProcess 2d8 -Pipe 2e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 31c -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 314 -NGENProcess 324 -Pipe 2c4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 300 -Pipe 2bc -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 300 -NGENProcess 320 -Pipe 2d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 330 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
2⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 334 -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 330 -Pipe 308 -Comment "NGen Worker Process"
2⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 328 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
2⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 344 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 330 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
2⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
2⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 358 -Pipe 304 -Comment "NGen Worker Process"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
2⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 34c -NGENProcess 33c -Pipe 36c -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 33c -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"
2⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 374 -NGENProcess 314 -Pipe 344 -Comment "NGen Worker Process"
2⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 33c -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 380 -NGENProcess 320 -Pipe 37c -Comment "NGen Worker Process"
2⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
2⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 374 -Pipe 314 -Comment "NGen Worker Process"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 320 -Pipe 35c -Comment "NGen Worker Process"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 354 -Pipe 378 -Comment "NGen Worker Process"
2⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 208 -NGENProcess 388 -Pipe 374 -Comment "NGen Worker Process"
2⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 34c -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
2⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 380 -NGENProcess 33c -Pipe 354 -Comment "NGen Worker Process"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 398 -NGENProcess 388 -Pipe 20c -Comment "NGen Worker Process"
2⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 390 -Pipe 394 -Comment "NGen Worker Process"
2⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 33c -Pipe 38c -Comment "NGen Worker Process"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 388 -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 208 -NGENProcess 3a4 -Pipe 34c -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 3ac -NGENProcess 3a0 -Pipe 320 -Comment "NGen Worker Process"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 3b0 -NGENProcess 388 -Pipe 3ac -Comment "NGen Worker Process"
2⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 3a0 -Pipe 39c -Comment "NGen Worker Process"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 208 -Pipe 390 -Comment "NGen Worker Process"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 388 -Pipe 3b4 -Comment "NGen Worker Process"
2⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 398 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
2⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 380 -NGENProcess 388 -Pipe 33c -Comment "NGen Worker Process"
2⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c0 -NGENProcess 3cc -Pipe 398 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3a4 -NGENProcess 388 -Pipe 3b0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 3c0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 208 -NGENProcess 388 -Pipe 3a0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 388 -NGENProcess 208 -Pipe 3d8 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3dc -NGENProcess 3d4 -Pipe 3bc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3c8 -Pipe 3a4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 380 -NGENProcess 3d4 -Pipe 3d0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3e8 -NGENProcess 388 -Pipe 3cc -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3c8 -Pipe 3e4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c8 -NGENProcess 3e0 -Pipe 3f4 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c4 -NGENProcess 3f0 -Pipe 3dc -Comment "NGen Worker Process"
2⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3f8 -NGENProcess 3ec -Pipe 3c4 -Comment "NGen Worker Process"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 3e8 -Pipe 3f0 -Comment "NGen Worker Process"
2⤵
- Modifies data under HKEY_USERS
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 404 -NGENProcess 3c8 -Pipe 388 -Comment "NGen Worker Process"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3c8 -NGENProcess 3f8 -Pipe 208 -Comment "NGen Worker Process"
2⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 40c -NGENProcess 3e8 -Pipe 380 -Comment "NGen Worker Process"
2⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3e8 -NGENProcess 404 -Pipe 408 -Comment "NGen Worker Process"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 414 -NGENProcess 3f8 -Pipe 3ec -Comment "NGen Worker Process"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 3fc -Comment "NGen Worker Process"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 410 -NGENProcess 3e8 -Pipe 404 -Comment "NGen Worker Process"
2⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 420 -NGENProcess 3f8 -Pipe 3d4 -Comment "NGen Worker Process"
2⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 40c -Comment "NGen Worker Process"
2⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3e8 -Pipe 414 -Comment "NGen Worker Process"
2⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 420 -NGENProcess 430 -Pipe 424 -Comment "NGen Worker Process"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1100

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2896

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2424

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
1.3MB

MD5
b9fe87cf8cc587833f5d6ee65ecefe0d

SHA1
812ee5cf7253a401cded31fbf1f5584dbd2742b9

SHA256
bc23c0755999fbeff45b730c113f726e599432a283bb9167b041ff3d17877e10

SHA512
9edbb0c631465e24b1b79576a758278d80b9bee2d56d58f54aac8c549a6b24aa49d8a89ef1b7d7eef0d548db1f3129c95e7429070806996f376f1ec2b68d3c21

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.6MB

MD5
5f877896e018bbbe15e28349a7dd568c

SHA1
d6738d7aede833c0a93243dfb7bc46144c187816

SHA256
1efe2f35702c2bbc84f1e25e2928473dec7dc8e6c127efd1dedcc965ac387bfb

SHA512
2a7a84f62630b238a247047ad069f7f5a257a1f78e1f2e5b2298b0b4cbb9d46cb0caab129e09afcbe92431e58340db666d7cec0c5a6d0d67e0dadc362a13d7de

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
1.3MB

MD5
43180d079152f08a95e048b11df288bc

SHA1
08af5bd4aa17a99ba584cec0c29954382e8eb30d

SHA256
e8c2ff8a46d9a21e54b0b893a108142164291fa9d63af08a4f78fc1511bee284

SHA512
dbb04c0d36d308f72596157afe6f0e7495dba2718239b9d5db55e2a8f60e408900dc611717916e9afd21fc8c14581d98efe23afa14bcc8ce855e080bbdee1f41

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
Filesize
1.7MB

MD5
d393419b6d75017cba6f8cfbd8f55136

SHA1
48a8d40488ae0d014cc68496a4589e7210438368

SHA256
d46bde38db431e58552e45cb87961d0fe33acf41e8f9a696073ce18fdcad5446

SHA512
b25bed98e6f9008404e262915d949b8bce6ba543694376e32667748f4521251bda54c7993537da43a41492202363addea3f8a80b653e2180b412fc26b5760899

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
a978125c0d83351c6f5668b331094e22

SHA1
4e297993cf12a3623b3e7b2e6cefec4203d165b9

SHA256
b59a148bcda211b5d4ceaaa64976f26ade26cc30e4fc4f78da84517e304cf94b

SHA512
6665fe039db4b1f7cbc00e8f653987deaf5f4b270d63b110e49fe0a8f025b763cdcc9d07fb85fd9292bcefec8a55e7132e928a6336442cdd510389c247159fc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
Filesize
30.1MB

MD5
cc7d4486d7db139ee8febdaff48fced3

SHA1
62e0bcef295330a1ae8d071660b8e3eada8ff76d

SHA256
3bdab1da174b43ac8418da945701fa17f2d40e1555c4a11ed98f93970284976f

SHA512
8a6db5e5756c165d14e15418add5beffe8bac65de1f51ac80e7b19c5ae3efcd25f26527f125d5735cbeae65f8b60bba9898721613abc8d300b45ca77d12a19df

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
4a8fde7e65226a076eedf3e5efaa6dad

SHA1
ac2333583cd04255e8f986b614a2eae736ce2ccf

SHA256
9fa810f3e4653b670b2beeb2dda2fe0597c76c46ac80a7884580baafd2858321

SHA512
52a978cb3c0a592702d8b39589c48cc4cdbd1591cfa1e384b93dc0535f0d8d9574a67ba45fa04341aad81ae488f3f9f695b87a74b54f8c0c0903836923f0e4f0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
a1404fc6155567c373fd0486f64b6738

SHA1
79437698f5af8c8bba022d5dca884b7eec5b7973

SHA256
260594e9c3626027dce90911dabd600ee1cebc7b69b1bf5d90d9685e3d166e6d

SHA512
1be5e6490c95cdb69c788ccb34d62e9314e9fca15417437b50516ee7e099e7cf02c2107e8426440b6dc567006896a7014640db0c26e4c22579cb079200c441bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3c16bdc0651ba3c954c9f4f4278a0438

SHA1
9cc0ca13cdc91573387f0613acd94ab1627c372c

SHA256
fc88eb4e4aafe1e34fd9714bf05eb4df88a0fc277cda4ee733d20a28c9f4ea91

SHA512
910a8586b352619d3b797e58559ea48f05c40a87c5ac48daef73c6f1a629801ca8b01f853c3dedf759c2fe29f3c86feb8818d088b6480ac7187045cff20b6341

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c3917cc4571b70cb171b3d438a2532d8

SHA1
f1b89d11d069949e56f1ed3740c3bd3cb1ad24e8

SHA256
1378b7ad8bda9011c05e9f53deaf13087396398e719af33f33bafc2256803738

SHA512
e68bf0cf675b8d50698aa6fa041ccef1949c95fe3703d2523cc53780329f771f56305498fd1bf25fd432c47f861a387db4ebe677c2c68c37862e8a2ff358e656

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
088604ba5c793d3caace8a206f48a1bc

SHA1
eb67edd4e81911555215281573defbd25275a82f

SHA256
74b2dcd9424e3cf53bdd6f4740b4e1086c4f79fe23861d356a22e28ce140ce6e

SHA512
f00425731259d37e697ef4131b2eef665b9a547806eeb9e7846b2d023464c0685c556756e7fcfb802914c2438b7b30ef9018d53225596679c3dfd2ab98c1eb67

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Filesize
5.2MB

MD5
33dafd7162b23a822d5c77db9e8d4d02

SHA1
53b598162a4fe37fe3361e1d3b8e160fe46ea0ed

SHA256
ca4b5de93b618e4472324312b3306e5c0be0b0feedaea30feeb137b773982666

SHA512
9092b04254d15cabb9233e9b506f44362e50d6cefe89f4d5381f4848bb31ea058526d1e628e0106b78ae502846be21c889a213934e804619a75bb0bd37bf7e4f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
0454956bd09773020c87059ac9bb4d9e

SHA1
634773c998644bd1d34b674c93d694ef38f20a31

SHA256
6ca44ba5d25c8a0b682c2a9a858882972debb30e367aec3cf39582b2c426d25b

SHA512
9305ccfed351511453df8ffc2f69d48d08f23418960194336fffc4766baf5c9f6dbe6e99551916852e5d617533bac4c194b0aa0f624393c7ac0c9f9f1f2bcf83

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
799332667fdb943d238d86679cce5c17

SHA1
d0e8e969b96d34e159b6b97e8f3002fbeece382c

SHA256
9a3b38e6d7794bdad05dd808236f55f0fbb7d65b5c01211621f0bd0920f51238

SHA512
56fa4c17f766eab529a08076a15a5057eb5965f91c1820277bda34879d15d5b216dcf275dc2f2b38d4d13b6c5d8e83c10f4fa866cd678f68e9aaaea3c38bdd4f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
068a299dd75fcc5c3cccfa1fd828eb1a

SHA1
053682033cfd632a476ba89168cdcc9f9f813e5d

SHA256
65b0cd4a78f3bf4e5a06f8f49d875e15bb3de61b3c022a0ea207f4b65f6ec33a

SHA512
5c62e568e69268696617d8d2b069e17885a36a6aa02de1164ffbff010a5b7dd69424931bd9e799b0d05b5ca8ad2990ef01443056e8481c2b0da0ac195ca33912

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
dffba24616bfee2805a92c2bd946e37a

SHA1
534b6dfce72669d80a235bdb0298046349bea576

SHA256
a2455e1fb2be431811d2187099a6f9997ecce381379093e5cfa36501754760eb

SHA512
b3bcd4fd2756dc1899922b468c953401d6da47b73ec52deb8184935892374e7a8f657df5f03e69a7e4d9fc471696cb5dc64ab7f82612df7e408fbfbf005ee0f4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
61a901ec372eb7ac81f15ff9230c69bf

SHA1
ac875bd0e7b1f0799bd815c4bc00c706775e0625

SHA256
dcabc04a31776abbf9f91a26362b545f73974f167e21b938d924484f1a0e5404

SHA512
af9c2f3b7d2bbd16073a9944a5b7aa631c9afa8164fd4ef67827e4fe6fea09bef8c9d0f87495f1b285b0001a783d82df12add8538c56507e8c7380935e0210f7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
db326792dbbdbdb937f872edbeca231a

SHA1
b2a5f182a661d6b38dc83f66c4b0ca0c0ad48220

SHA256
fe1ba79510469a73dac7cdb8c6713d7250f5cf8238219bb9b8be77713266e499

SHA512
8d043ad4fc26f998359dc5ea5471adebc901c8480fde0ce6970f5d91ce8987acab048d6328cbea45f084665246f7f0568005b2c8ed37b78487d6fc058331eaa6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe
Filesize
1.2MB

MD5
6c1c6f47fa6a57a0b84ebfa25bce02f1

SHA1
ca60fa2df4a157a228744b387576434893ffe7c8

SHA256
e1fdced5ff8b6fe10cc7f14d86e57ff3fe95baba3d162759dd7e44e5549cce4c

SHA512
4977c4263e7fe8dd514ba2aba3b14ee521c7c82c0e3c6ebcb79af3c90255e40d045bdfc530342eaa6dd553131cd400220d0a251d2cf0992dd971a1f7b2430153

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
Filesize
872KB

MD5
3d9b93864347728b462634fa8999b7ee

SHA1
9a448e52eec52657dc43ca73c2175801d4d47b43

SHA256
661863079e3d41f57f3df6fe9ebd4ec6092d06cc5298e1f638becc02a7e99c01

SHA512
9223f85f3c37d9ffe14a3563f02ac3a0d148fc01604e5ea7b6753b8f5c44ac45aad57d84be4ea760e49f89d881d248bae2ffd48ec4cba0615e2a7d28fa7cb261

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
dbedd8b0282cce595448c1902d379baf

SHA1
96289aed98c24b2fd4eef6bfdadc27bee5ba07e4

SHA256
73865e6bc37f148669abb63333c5c5b4dd8a4fa383871fa28a34cdcc5c63e22e

SHA512
9d15b46549af8e695a8cb02857c8617dd9542488015d5572ea0afc0a06796fa7899408557d10f0bf556b08ab8bb7bab95ec289e3e482c41ac96987470de1b27e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
1.2MB

MD5
d12d734a20f2496eb0c5035bc4412fe7

SHA1
080a3883dd98b9c202bc5e99150ed0db593834a3

SHA256
2c0320fbfab8fbcf197591801f7defedfbc0d7679f3d58c52dca71a36b8f1cb3

SHA512
8474bb908b8dbf6c5859608c5fdefde89ba104689967b067db38e728df180fce47013d5c6e58ca268fe5abbbd5352eae40be4ca91ff0000b4abde1e226d9fcab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
34fc5f9d774f22b8ae2c12b5e644e778

SHA1
b4450c71d67a5b87819fe3e38d26ba3232bd0dd8

SHA256
091474a898dfa9acce84f4e4faf75c34ee652bc36edf522a793a949472d8e0ea

SHA512
96e715cf24ea4af34eb6ee4a05932c1443fb6ee2d31f6f398962323f8b266042e6d1dd8453428171e9f18eab3df403c66ed19cdbedac02ceb72790fe76f431fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
1.3MB

MD5
c97a04136ac2f57248c064246b11574d

SHA1
26fdf0a87d43a1e3146f44b23a6849feabeff8f2

SHA256
fe4477d53f7ff759be71ee6c0a4c38fdb2cccd25325027f1de9204c61be8d57e

SHA512
84b99f1a05f6a630bc356749fe4de2327dfd5132e867bd9d6e809e85c33d6b923633c7008f7dabbe6e617478aed3d59be561177f6bce133f5ed175170726818e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
Filesize
8KB

MD5
711a3712a8acd16e21a3e564f9a0ea9a

SHA1
bc71e5da5b6e75af8863059ddac73eeb40c0087d

SHA256
84e6eb67d4478168eebc50970f8297ff029c8a762f7730a64e9086f98b6e17f5

SHA512
9bb7cabbf3c519a61c8d16f139ffae8a6e65e0961f1da2b1d3b0523f651659c9d0edbb1efd5f4df1fbd4962aa1c937f09bcb22157ec234801cbd32e14ddcf670

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4099ddf4991a876506267bdf44fb1613\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize
143KB

MD5
b8c32c938a8dd190cfb3c96d274f7450

SHA1
e05fa6b71533e8d558a48908b3415a616d5ff011

SHA256
8b32dfb6eacc14eb685aeb0fe3bfb64e7a4f25c8626cfc3f943d83584d1025e2

SHA512
d61f0dfb96b4d884757739adf87c6a7f4bc9d0172f49a78e4a99e9b8db97682926070264b8bde680aa0522808191c2f1761828cbc0f8bc53284d40c28f4b1cf2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\41dc8782f3429bbc6c16007018884820\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize
83KB

MD5
fcf0370a3487e72eb7f92b6f646b88df

SHA1
748f984819e72d44e3bf136fea090e6d039764a7

SHA256
1db6213a0af7f46c934b2a1bd4a738d38f5b644fc43ac8d105a23e0ef21d464e

SHA512
ef3b5d541e8efc416d94aa634b6a1e19b9449c62fb51bbdd2fa07d70f767a1c3613b27040f49bc47be805f8b30986549282d92dffb94f0c52552aa2535a98d3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ab4dd123907f731a120973ce5040c2f5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize
180KB

MD5
b04246f84870017340aa25e113818942

SHA1
191a8b4a89f36ca28607ffeecfac9756dd90671f

SHA256
86626422a0eb920e1b8cc1ce2a952bb2d9dd58710e35be9671b7eba0bed40944

SHA512
6081432a7f9e656ea83b6e9ae431b20bcf454b1a985165b9dd9fca116c7a5f78192ed2d718d24b670e0cdab760206b83b7df65eaae9deafc3d1c521692e29b4e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0aa080b13abc08580b55e13e8812fc8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize
187KB

MD5
c7e470ca30c01b5f5db8165f7fb2d872

SHA1
2463986542ab01ac527089323e149ddf64cccb1c

SHA256
8dcd2800be16d5b16fa409e0e81f657cb64188b816af6221c05a6ca27cd7fe75

SHA512
2086da93f8e244ad3d933e606c130d9f1c98dee18ced2ff3588c8bb49746d308da982a1eccdf0bf98a50a759958c6b32ead87e003e7ed64ce05534b1cf9c9fad

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\ehome\ehsched.exe
Filesize
1.3MB

MD5
e45e39c111bd53b1e37358b9fb0c1ebd

SHA1
feed53e47ead03dd8f698ec1e329add1ba39cf2a

SHA256
cbaca468a3639572f943b1eca270b884739684b4bce5999f0d4d492c0743f4e4

SHA512
ca32840263e1a4fa227c529670e4d3c36efc02f58061068ab11d836d079f729a36f8da94f6deb7a2c84a0509b1a99117be4da551e6f159f7c2b8ef2e0f953c1f

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
Filesize
1.3MB

MD5
3a517d7075e068cbeb555012aeb7533b

SHA1
c5024deee48a693999ac9a81098813241d43282e

SHA256
96dfcd8ed2327803ef5540b9fa6331406419474429adff697db0e6d5d1f4abf1

SHA512
e2c185f229fc2f37129f659e71e0cbc1849632851492c923ac5dd136c3c69f47dd5403a3599ec3cc8766b0e548137e0aac1664f75b5dcbeb30d055aa40ae4703

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Filesize
1.2MB

MD5
24d6cb3567d779916287c42a1567252a

SHA1
e71dc568dd4b0a95b5efb9a271c1f609930465b5

SHA256
9402b5ebf571c9e94bd5f031a5ab3056fa4eabe5594fe996d7a6d059e89f7648

SHA512
fc0a30be28cdf4067d034449873fa8a295e8700a073b7790ee347307c770bdeed93f93ee1b468cc5781b3f6003791f82883bb58d9fd2026f09b0af4f38594fa8

Download Submit
\Windows\System32\alg.exe
Filesize
1.3MB

MD5
09c6043e1e6509350e1efc4e2261d81d

SHA1
a26d5c79f901e89ff979eac92a9c46028b8e4ad2

SHA256
effa61dd1084825e52a29ea7d0176e4b3b2cc961cc29e05198031d2fbd551473

SHA512
20e152d85ab7e5561ed06c0e35da257e2a5aa6ffd219856f102073eee093787e2150659591f9f9562484d2ef748ae77f5ced78883720911793205ff4f871988e

Download Submit
\Windows\System32\dllhost.exe
Filesize
1.2MB

MD5
e0ffcbac2b7d0d8cff1ec88726e6f2ef

SHA1
836d83c8a8082663fdc68389f2b51eecfe6b5ef7

SHA256
b9efe43be925c7a9d6b6199bf2be142739ac203cae9515cb633f99dc741e2e90

SHA512
07d453ac1ccc7c2d0ae77fd1fd05e488dfbb52e86c9178644dacd3ff17cc601babe6b91bfe7acc4151743fbe00ede366ff1f38445088c7b22749cd43d0ccf49a

Download Submit
\Windows\ehome\ehrecvr.exe
Filesize
1.2MB

MD5
08ddd0e8813107f3391aab66cdfbd0f2

SHA1
13107171350d379d0774e0e67d4d243a557eb7d4

SHA256
543fc96c4c989be0491170d3cce6a9ceaa5f6d2d6e0ce3eda453c97cf43f96cf

SHA512
6ae8af6c004e780c4e7f1f4018783233c7725899e794bd7de2cf9e1282c248f735f6a887f2022478913d6443435fc05906387d982859ea1ced26b5b430db61af

Download Submit
memory/372-706-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/524-900-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/952-838-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1012-94-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1012-273-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1048-729-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1064-849-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1080-591-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1080-602-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1100-479-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/1100-151-0x0000000100000000-0x0000000100136000-memory.dmp

Filesize
1.2MB

Download
memory/1100-152-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1100-158-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1116-143-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1116-114-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1124-861-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1124-846-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1176-567-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1180-719-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1180-734-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1372-98-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1372-97-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/1372-131-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/1372-105-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1400-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1400-246-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1400-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1400-150-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1400-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1576-481-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1576-418-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1584-638-0x0000000003C80000-0x0000000003D3A000-memory.dmp

Filesize
744KB

Download
memory/1584-642-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1664-526-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1664-537-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1740-611-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1772-821-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1772-810-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1892-818-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1892-800-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1976-792-0x0000000001F50000-0x00000000020EE000-memory.dmp

Filesize
1.6MB

Download
memory/1976-790-0x0000000001CD0000-0x0000000001D5C000-memory.dmp

Filesize
560KB

Download
memory/1976-121-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1976-789-0x0000000001CD0000-0x0000000001CEA000-memory.dmp

Filesize
104KB

Download
memory/1976-788-0x0000000001CD0000-0x0000000001CEE000-memory.dmp

Filesize
120KB

Download
memory/1976-122-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1976-127-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/1976-787-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/1976-791-0x0000000001CD0000-0x0000000001D74000-memory.dmp

Filesize
656KB

Download
memory/1976-795-0x0000000001CD0000-0x0000000001D58000-memory.dmp

Filesize
544KB

Download
memory/1976-793-0x0000000001CD0000-0x0000000001DBC000-memory.dmp

Filesize
944KB

Download
memory/1976-796-0x0000000001CD0000-0x0000000001CF4000-memory.dmp

Filesize
144KB

Download
memory/1976-404-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1976-794-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1976-799-0x0000000001CD0000-0x0000000001D36000-memory.dmp

Filesize
408KB

Download
memory/1976-798-0x0000000001CD0000-0x0000000001CFA000-memory.dmp

Filesize
168KB

Download
memory/1976-797-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/2008-551-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2008-539-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2056-635-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2060-760-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2060-756-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2076-271-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2076-538-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2076-263-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2288-688-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2288-684-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2364-683-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2424-282-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2424-286-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2428-407-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2428-421-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2464-554-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2464-289-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2508-140-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2548-550-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2548-564-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2620-504-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2620-525-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2648-672-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2648-652-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2680-302-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2680-576-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2704-744-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2704-757-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2796-710-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2804-403-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2804-320-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2812-590-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2812-577-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2880-878-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2896-259-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2896-250-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2896-253-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2896-520-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2916-901-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2924-163-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2924-62-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2924-59-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2924-55-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2924-88-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2944-617-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2956-661-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2960-252-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2960-500-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2960-164-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2960-171-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2960-165-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2960-251-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/2960-766-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2992-502-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2992-480-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download