815baad898a5bddc2a00b84f7f75b6a575f706d4d09fb2b66aa4d9c2cfbaedbb

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
Size

1.3MB
MD5

81d19801a72553589fb65bcf49688e64
SHA1

44d46e9f84bb2b82803081679a9a0ed7226275bd
SHA256

815baad898a5bddc2a00b84f7f75b6a575f706d4d09fb2b66aa4d9c2cfbaedbb
SHA512

a7c8dcfcc8011c269656a2e1e4b23483501db6f2e870a77a26024aa50d43a22ca7c2368451b26743bec41ef8f12e397bfdd4756017bac5cd379f103133b73fc5
SSDEEP

24576:W2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged58NDFKYmKOF0zr31JwAlcR3Qi:WPtjtQiIhUyQd1SkFd5gDUYmvFur31yH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2884	alg.exe
2652	mscorsvw.exe
2352	mscorsvw.exe
240	elevation_service.exe
940	GROOVE.EXE
2532	maintenanceservice.exe
1040	OSE.EXE
2236	OSPPSVC.EXE
2344	mscorsvw.exe
1732	mscorsvw.exe
1628	mscorsvw.exe
2676	mscorsvw.exe
2268	mscorsvw.exe
2680	mscorsvw.exe
1828	mscorsvw.exe
2324	mscorsvw.exe
1288	mscorsvw.exe
1324	mscorsvw.exe
1248	mscorsvw.exe
1404	mscorsvw.exe
908	mscorsvw.exe
2308	mscorsvw.exe
2188	mscorsvw.exe
1936	mscorsvw.exe
2644	mscorsvw.exe
2668	mscorsvw.exe
2388	mscorsvw.exe
1980	mscorsvw.exe
1080	mscorsvw.exe
1112	mscorsvw.exe
528	mscorsvw.exe
400	mscorsvw.exe
1364	mscorsvw.exe
2664	mscorsvw.exe
2052	mscorsvw.exe
2184	mscorsvw.exe
1980	mscorsvw.exe
952	mscorsvw.exe
1208	mscorsvw.exe
988	mscorsvw.exe
2572	mscorsvw.exe
888	mscorsvw.exe
2040	mscorsvw.exe
1716	mscorsvw.exe
1720	mscorsvw.exe
1396	mscorsvw.exe
880	mscorsvw.exe
1972	mscorsvw.exe
1832	mscorsvw.exe
468	mscorsvw.exe
3012	mscorsvw.exe
436	mscorsvw.exe
1404	mscorsvw.exe
2820	mscorsvw.exe
2140	mscorsvw.exe
620	mscorsvw.exe
1628	mscorsvw.exe
2320	mscorsvw.exe
2676	mscorsvw.exe
2004	mscorsvw.exe
1820	mscorsvw.exe
312	mscorsvw.exe
2024	mscorsvw.exe

Loads dropped DLL 44 IoCs

pid	Process
952	mscorsvw.exe
952	mscorsvw.exe
988	mscorsvw.exe
988	mscorsvw.exe
888	mscorsvw.exe
888	mscorsvw.exe
1716	mscorsvw.exe
1716	mscorsvw.exe
1396	mscorsvw.exe
1396	mscorsvw.exe
1972	mscorsvw.exe
1972	mscorsvw.exe
468	mscorsvw.exe
468	mscorsvw.exe
436	mscorsvw.exe
436	mscorsvw.exe
2820	mscorsvw.exe
2820	mscorsvw.exe
620	mscorsvw.exe
620	mscorsvw.exe
2320	mscorsvw.exe
2320	mscorsvw.exe
2004	mscorsvw.exe
2004	mscorsvw.exe
312	mscorsvw.exe
312	mscorsvw.exe
2964	mscorsvw.exe
2964	mscorsvw.exe
2760	mscorsvw.exe
2760	mscorsvw.exe
2440	mscorsvw.exe
2440	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
2740	mscorsvw.exe
2740	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\88bebca0ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP498E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3BB9.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP677A.tmp\ehiVidCtl.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC41A.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP514B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4BEF.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4588.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B0B.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4827.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1176	2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeDebugPrivilege	2884	alg.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeDebugPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe
Token: SeShutdownPrivilege	2352	mscorsvw.exe
Token: SeShutdownPrivilege	2652	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2344	2652	mscorsvw.exe	36
PID 2652 wrote to memory of 2344	2652	mscorsvw.exe	36
PID 2652 wrote to memory of 2344	2652	mscorsvw.exe	36
PID 2652 wrote to memory of 2344	2652	mscorsvw.exe	36
PID 2652 wrote to memory of 1732	2652	mscorsvw.exe	37
PID 2652 wrote to memory of 1732	2652	mscorsvw.exe	37
PID 2652 wrote to memory of 1732	2652	mscorsvw.exe	37
PID 2652 wrote to memory of 1732	2652	mscorsvw.exe	37
PID 2652 wrote to memory of 1628	2652	mscorsvw.exe	38
PID 2652 wrote to memory of 1628	2652	mscorsvw.exe	38
PID 2652 wrote to memory of 1628	2652	mscorsvw.exe	38
PID 2652 wrote to memory of 1628	2652	mscorsvw.exe	38
PID 2652 wrote to memory of 2676	2652	mscorsvw.exe	39
PID 2652 wrote to memory of 2676	2652	mscorsvw.exe	39
PID 2652 wrote to memory of 2676	2652	mscorsvw.exe	39
PID 2652 wrote to memory of 2676	2652	mscorsvw.exe	39
PID 2652 wrote to memory of 2268	2652	mscorsvw.exe	40
PID 2652 wrote to memory of 2268	2652	mscorsvw.exe	40
PID 2652 wrote to memory of 2268	2652	mscorsvw.exe	40
PID 2652 wrote to memory of 2268	2652	mscorsvw.exe	40
PID 2652 wrote to memory of 2680	2652	mscorsvw.exe	41
PID 2652 wrote to memory of 2680	2652	mscorsvw.exe	41
PID 2652 wrote to memory of 2680	2652	mscorsvw.exe	41
PID 2652 wrote to memory of 2680	2652	mscorsvw.exe	41
PID 2652 wrote to memory of 1828	2652	mscorsvw.exe	42
PID 2652 wrote to memory of 1828	2652	mscorsvw.exe	42
PID 2652 wrote to memory of 1828	2652	mscorsvw.exe	42
PID 2652 wrote to memory of 1828	2652	mscorsvw.exe	42
PID 2652 wrote to memory of 2324	2652	mscorsvw.exe	43
PID 2652 wrote to memory of 2324	2652	mscorsvw.exe	43
PID 2652 wrote to memory of 2324	2652	mscorsvw.exe	43
PID 2652 wrote to memory of 2324	2652	mscorsvw.exe	43
PID 2652 wrote to memory of 1288	2652	mscorsvw.exe	44
PID 2652 wrote to memory of 1288	2652	mscorsvw.exe	44
PID 2652 wrote to memory of 1288	2652	mscorsvw.exe	44
PID 2652 wrote to memory of 1288	2652	mscorsvw.exe	44
PID 2652 wrote to memory of 1324	2652	mscorsvw.exe	45
PID 2652 wrote to memory of 1324	2652	mscorsvw.exe	45
PID 2652 wrote to memory of 1324	2652	mscorsvw.exe	45
PID 2652 wrote to memory of 1324	2652	mscorsvw.exe	45
PID 2652 wrote to memory of 1248	2652	mscorsvw.exe	46
PID 2652 wrote to memory of 1248	2652	mscorsvw.exe	46
PID 2652 wrote to memory of 1248	2652	mscorsvw.exe	46
PID 2652 wrote to memory of 1248	2652	mscorsvw.exe	46
PID 2652 wrote to memory of 1404	2652	mscorsvw.exe	47
PID 2652 wrote to memory of 1404	2652	mscorsvw.exe	47
PID 2652 wrote to memory of 1404	2652	mscorsvw.exe	47
PID 2652 wrote to memory of 1404	2652	mscorsvw.exe	47
PID 2652 wrote to memory of 908	2652	mscorsvw.exe	48
PID 2652 wrote to memory of 908	2652	mscorsvw.exe	48
PID 2652 wrote to memory of 908	2652	mscorsvw.exe	48
PID 2652 wrote to memory of 908	2652	mscorsvw.exe	48
PID 2652 wrote to memory of 2308	2652	mscorsvw.exe	49
PID 2652 wrote to memory of 2308	2652	mscorsvw.exe	49
PID 2652 wrote to memory of 2308	2652	mscorsvw.exe	49
PID 2652 wrote to memory of 2308	2652	mscorsvw.exe	49
PID 2652 wrote to memory of 2188	2652	mscorsvw.exe	50
PID 2652 wrote to memory of 2188	2652	mscorsvw.exe	50
PID 2652 wrote to memory of 2188	2652	mscorsvw.exe	50
PID 2652 wrote to memory of 2188	2652	mscorsvw.exe	50
PID 2652 wrote to memory of 1936	2652	mscorsvw.exe	51
PID 2652 wrote to memory of 1936	2652	mscorsvw.exe	51
PID 2652 wrote to memory of 1936	2652	mscorsvw.exe	51
PID 2652 wrote to memory of 1936	2652	mscorsvw.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_81d19801a72553589fb65bcf49688e64_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 1d4 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 274 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 24c -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 28c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 274 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 268 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 224 -NGENProcess 220 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2cc -NGENProcess 298 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 220 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 298 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 220 -NGENProcess 298 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 298 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 298 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2e4 -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 324 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 304 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 32c -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 30c -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 334 -NGENProcess 31c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 32c -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 35c -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 344 -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 364 -NGENProcess 34c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 34c -NGENProcess 368 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 35c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 374 -NGENProcess 380 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 384 -NGENProcess 35c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 368 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 35c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 380 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 35c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 380 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 35c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 368 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 380 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 35c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 368 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 380 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 35c -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 368 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 380 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 35c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 368 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 380 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 35c -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 368 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 380 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 380 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3e8 -NGENProcess 368 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3e0 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 368 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3cc -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3cc -NGENProcess 3fc -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 368 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 368 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 27c -NGENProcess 3fc -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 3fc -NGENProcess 410 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 1d4 -NGENProcess 408 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent d0 -NGENProcess 27c -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent d0 -InterruptEvent 27c -NGENProcess 414 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 3f0 -NGENProcess 3f8 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 2c0 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 418 -NGENProcess 414 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f8 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:240

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1040

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
d8067d1ba739708813ed5e75b725abe4

SHA1
b78b137660895d157c10cf6214b626fd6d328fa3

SHA256
d43bb847aaf5ec7f20dd97f59cd303fcfa90fcc93b9ec57a6ade344917271301

SHA512
37fc59d28f2bb5d17cfda880d2e756bb6e2e2aa5abe317267a52b09d771694c8fc583c07deaa1d974f401b9f90c1e4d61697edb6ced0a5f31bd66ba9d46bd7bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
1ae97ee3459574c68f0152fb21c14272

SHA1
4ccf5835faf9667696e28127f1fa4dd66373ab5e

SHA256
cab315616559a274b3ad0e37e70ca24079f3827ca98b65d801459a830036a688

SHA512
aaab3393b5c9c642645f75adb6e714fc1fb42aabc749f286d6d6d3620bcfe74224a9c444e75782d70f5f29543b877f564495cf6856625a121e0969d1ad2c5c72

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
243891712558f3816e8ba8a5b74bf3f7

SHA1
727dfb85409f2a3ca16d88bc16e4898ef2ba42fc

SHA256
c08ad56c5f484f64c7e0f6bcc73542f1122c9cb8be165de2d6991ca54db2b6b2

SHA512
b7267c9594505d4c6ecb81e6c21593d831d0f2647a944629660695c85a615165a06974c467760ca45785dc10b5b094ebfbe2013ff3a1a5639e7ac88edf68a18d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
b39358dca441f8c4391c648a7e8a8363

SHA1
83a78df38b83fd7978a1e70ed46ef551b19c5ee8

SHA256
ac1a9b26519c9f72189a168c9261c2a014953d879b226b6fff0d6124c7a2c05a

SHA512
80c9e7de3fc5a2c5da4892aa09e83aeffe07322bfd848efa587777f25d98c7c3bb7924eeb45ad578fdf96b84e52689103e332a4c8e914cb2ab242516f6aa9920

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
d351e07b106579f47ff047800d087430

SHA1
7a8f4a3e8a054a245a8892de8f22752a5b5410c6

SHA256
449f86423114052ab1351c69e4ad23dcc69866c077f6c81cc77e2804afba1f5f

SHA512
c2080340aad4d648578a042c1216899b8e4b4ed36b307571ff6bb5f90071d22399eb4e82198d02080adb0af82d43ae4f24f50f882342a044de36511da8c9e470

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
fd8bd71861c000c535e31ba168697a7e

SHA1
d61771646fc89803818214708c3dac9eb26f700f

SHA256
05901216b9c9865b80cf752bd19b64038eeb5a234bbe6a426b3de305744387bb

SHA512
4a128e31ac9a7f70b8551ea02cc95965c3c3a7d519d5fe586e34d7ee41b4921555e815e6462e357e787d074d34b5a6a3338cd92a93adc13ddd04b6a7e9418feb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c1b4287743e29ba8544bff77b081036e

SHA1
594e2de0ee7532261ede6fd47c35ee7b772c96cb

SHA256
8e7022f86c59d73d1402a5506caa0f709a8285db3f4f70fb1870fd800bdba6fa

SHA512
a9d1bf7d8cf43a492172ff9c6bfeebd1a405ebc03cf62288a06837367488bce1f3275dd96b0668ce6a389f9b89df2afe9eb9cac8f4433acdff22548a0354261a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c301815798bd2b706c96712b8a32e910

SHA1
2d25494e12121ff8f755d3f81e4518d458fd5004

SHA256
a6a056b720ceed0c81328a37d373f80cc63e589b5fe9d42a86319c5a0eeb47e9

SHA512
e9da2524c49118d29e2f251ec2ee1e9e12dd5d078bbe2d7a0dab22ec86624336735d9bbadf33c98236fa5c911a3b36f70dc45174ccc068195a8d4e5be758e864

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
43119b1d385075e221978df3eb17e322

SHA1
f70355201fd4c04ef2be49fb07d85030d9a580fb

SHA256
c31f696ced0417569c010575e064ad7d9c475acc8d0c3e0c8e7d226900087d67

SHA512
ec158e85bf8efc0383b6b434757d3d1eaae187d79220bcc9c4e544695a3f9efcd998992965d055482c5efb294b8508c5c218ae34160a80d9796c64ec03aae438

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0a12f78d93675f4df3ff7b9e2f57bb65

SHA1
8f5fc2501709f55b6a5bfdbd92e7aba4be5fa532

SHA256
ceae88390c1c46702194bc7ee8697b19bd880f8e2ee56c8d3b61c62186bbfcbc

SHA512
ec09097d3c9312e2e02a16cde18577d4de3966bb6da7736a0f6054559d5554a3ac90b9c4fce53dc333cc1a49f49887c44cc02f475dc6fa48a19d724490b94607

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7d73bec744740dc4bd4992d2de961418

SHA1
0a34e1d5f6532f9008caf255ebec93f0b1cf3ee4

SHA256
5be5cb5e6a6311fe50e3f37e08ba1959f0be1e72c25d6fe957b7da539bbeaf6a

SHA512
51b657fa73500cca7907a4a7f1fcceb988f3e1c20c8a76c38cf77eca61972a4a0b6467d3ecadd4d0ec2839c841537bf58b16984bf46b5bd4814279cc6a3f3d21

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
282bd0e5150609372a3e646ab348a054

SHA1
42b23f290971d5132fe655e7852f9a304e51b4af

SHA256
8c6684a105cd6c3e3fc9ba1817b202df7033225a8a6afefdf03880ab7edb26a8

SHA512
3a5335a36924a410a3b445a3e7cd694dfdcd3b7d33a46d3e74e9487adc31fe4d6a60acfccf755c58d5b97371af66258a79603df67db0f7eece9b95df80f77010

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
94581c1cdc61ce34b213445f7838723b

SHA1
5ef29fea1707416239f5adda3ec25e9d64c5f171

SHA256
35bedbd01e362676040f4310f61fa29ddf8182498f1daa2560bde8c859512858

SHA512
263a3b87e30b6e69e8d352448e3498d168ae2b75e345290c67a59605ba0cd06ad5535ff4b3367b5bdbf6713c08f81fe95b3afd3e374eb1c40c5727601061cf88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
269472639de55879a6512163cca30505

SHA1
6a54dacb47b1904f1b98fd45e46876137a99302c

SHA256
5fed222fc80f4bc45b24a78ecdfc0aa7fd60cf24fd231962fb633de9f6268b54

SHA512
d66dde7d0d8a0773d6c2cc5b277e0bf80ea15fe8e3d0a713af4aaa984f83cb99c73a867995f781119b48f38c385187f2a396c36a58cd0314efad255597919e50

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
9eedf88ad86be063efee0ab21484346b

SHA1
9201ec6dd72b5d7f9dcdb0ae8c38089d3af9e5ce

SHA256
4906ee19f8307b433a790bcd5290c3eb6a880ab0686d4385ecc28b420cac563e

SHA512
969b180ddce0ac96fa0c7271656b958002a38a4c343e16c719f378537544babe4a78293a1f44e26b2806d8b6eb9ef0aa3cb0da457421583c9feae08b18a64458

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
af5f8de54f478db320530bed7d9b0b33

SHA1
be781e007b800cf19aacf1edc8e19da00ed07bdc

SHA256
e9b8ef7d422ba327e44db99720704264cfb14b65b6c2670914be884092dfbee4

SHA512
edc07ae6cecce62bb13517b913648673d2e2cffb8308a2b9008b4dfb30fe0799e81234be3dfeb2d3c0be32bedbd10c6162c0aae05d2588af252a1885db9d84e7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
bfe1a6b60bad6fcbc6e3139ad15a70aa

SHA1
e0678d46f4fb078633983c2df45ec7d7af9e35e6

SHA256
9c09184c5b4d4977a1e4788597ea1cf1cfa814a14b93d5796ab7f12f50a463dd

SHA512
d1cb0e9d3aaf4557389623bff67e469891105a65d5e669d442899c7833a5ba524b20dfa6a7bd00f06f7de088eab27462ae7c017d16ad6b29a95cf1cb578bba9b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c11224cd377bde4f1903d6bf12e1695a

SHA1
2643e8b12b3132b7c6216bd2fe49daa53835c770

SHA256
ee58a33b1e5108654ebe5a2d7e4013fe9a26495c8e56cead015ba2c84b652c3e

SHA512
b14a6c359c9a34764c1e3ee24ff54774469f2e1a98f1f3d1d2cfc22abe8dad9a0cde93800a43de6cb5c4f52ba81b76eb1da1508f7fba406189d3ef50359149b0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
0bb58fefadf6438ddf647c248da8a2ee

SHA1
2a83f98d207c34e8745e152eb11632ee56b89932

SHA256
eb5fa4e29a96be50736ce567422dd44b29e13c854d541d53163abe5308246219

SHA512
481b6f9b676883682a6733df83aa0eddfa72d72f995d454fc99623149390c009837b145bdd2f9652f4b5ecda7f9408db455dd98aa55eac6f5f260709e4d8a968

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
6ca6e370c5531e8de957b73713090f9e

SHA1
3c9dcecfdd18567ddb60ea54eff40d35eb812a9e

SHA256
da3b5ac385f5b374e652ee9ccd632e761b16c3fb3c0ac7422a41892544e12f0c

SHA512
cedfba7007f7dfdc398f6dfe698f542ba5d340a655bfc63645e3184538487a771f9cea600874f45032a0300ca9dc3b92c6126a2476722ebb1c17aa96eebddc67

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
550b9296e3a36d9cea80bbb8e5b60b6a

SHA1
640923039b31554011f56d6f268e0585fedaef85

SHA256
8e37b83cc59fc97dc004298ecd8a6efe1ab4a33423688a767d08f83dd36504ed

SHA512
6e2e3daa61fa874648c69ff2fa35103a1968a98e23d8c1fb1760175c191df723793998499356be405be0cd816ef05a2f93a0f00fe5f65380c37d46d6d5ebf25a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
36a61d267c4113c16241665aab848abb

SHA1
77cd53bceba421822b8ea1a76eb55fb093996b02

SHA256
78fcfedc31d5821d5ea64e6bf4b54a0d73c1c25a7cf48b7f4658dbf1f9bd9a51

SHA512
1dae39ba88645a6f482e5b7d0f83e602dab7827d0827b4025ea9df5c8cd54179e5a2e3493f8a3618bdf1e0563f7d9e0245a38c01405800dd1b882d77ea9f1d42

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
6f3cd043d3a647bc21a4b1a0c12ed38a

SHA1
77e009739ef5299ae432a8a77433ac67749e0f73

SHA256
dfade09aac244a4def0559404012624e8804f24bbb046da7a3a3215193ce893a

SHA512
f4592de18c2882750e7744946d6c0c90e19c2f9f28ee00140ce5c3451c868303a047bb00a26c27d4d15674a8d3574a7676f82d2eced9d83e8aa136775c95fbac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
6fc73710de6abaf002c993ea1833622d

SHA1
cd5d5c784f62fc70bcf6dfbd7f79cac1e1cb6c3f

SHA256
d0ab9cdaa9cb9c48825a9f949ed16ae1cfa765af6d5048ece867d3625bd2af2e

SHA512
2305fbe75ebab0294693f95f84c6ae53f76f06db2dad3ea72948f07c522f0f9fd18be9d7f63dfdeedd93075a9b3d9451886810a9fbebbdd54bca56c32852cb46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
8f6b024d79f2530d3d12f5e0dedf9414

SHA1
cf83679e232f05e2dab7653eb47d3ef9ddf5a5ab

SHA256
77a328c9dd56a3191444939345cf331a05840e0877e704b46e7ff3206a589b5c

SHA512
973be880fd567da3cf17fbe65d6c26818b1f9793b516d298feba69830d87ebd260d61e1b0e518ef70835ccc2b667b9fb3027585f6d84333015acee9e0d8af70b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
2e645899c72acdc395aedf14f3649d64

SHA1
0ec241ba5a6c04e8640bf892af40974a395b37c4

SHA256
4788e7088f478925f64011cdd8bacafde237e051f46a973b8542b5cb64a95298

SHA512
8afbb87cbdedd02b44620837c544d26ac62041793ca17eb349339c7906e0d6e85d53272f8cb7ccf175018e3b610e3c66335f56073ab40ade357f2c1c94ad3546

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
15dbbe2f69135afc794b9925e4ca1636

SHA1
9a2b9a2ee092ddd713a6a6b906a9e143fb24ba68

SHA256
d26451459377dd91ed7debdf9fdc6f6c75fad8ad164b6e146099ce1229551a85

SHA512
ff33e2ebc08cfa9239ce90217d25da976befa3259f616fee525adbf03f2b5139d548241686a3fec7688a0773c58559724a494f7a5a50f4300ea34d8814f5eb2e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
3fda967fa5f60871d952f67f06c3ad7a

SHA1
85442f6e5e21ccc82736946100201c818d793ad8

SHA256
3f6ee72d46b0794503a42d66aa78817a72f6cc9505e7aa1f9967dbb3c146135b

SHA512
54c5d7892378dacbcd4d102aa31f7f450576b7ea831f901842de2febdd4bd5cea1f7bbb15e67033972f586410b638e2b07c7c32fb7538b0e1c6b4b2ad09561bd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
2692783b0ec64ce8e1b42b2ffc812786

SHA1
2a82d7b1fba4577494ca56bcad99de99270bad36

SHA256
b44fc430a8907fafbcc72b9e94fce634051464cedb7a7f42b6d086fe1ce3929a

SHA512
442745ab1fab03c0c6c9b192e4386794dcda203f9c0a1e02d7beaec3f69bee6c322f20553883b3c8df3e084bead4f39e8693ded3b1281e7d4c8af76d36d1154d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
639KB

MD5
61d2c2d71a2c2493f00a9fff04aced0e

SHA1
283165c89d666c60433d1e4e4d6513524f2a18ad

SHA256
b971ae8996470fb520239d1325a855b704cec6dd4bb04c5f42584789dee122cd

SHA512
0ddc45dbdf3d2bc25f9f1fc58eb7eaecad8b92c26001cec4b1f7c62a498c030259fa5d23e73162a5245fbda5c439394f0baae6069915225034b56bf633333b99

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe

Filesize
577KB

MD5
8a98b57eb7b5f441d4530f666ab10be9

SHA1
8c79b7e116df9d4ead13f3d250c84336d5976944

SHA256
1e8bbfca8eb1bb9250eec6d1505659d89a2cbe17e0bc16b4e82860c44c06d51a

SHA512
b2da7681f9dd5f4aea3db4b21d648b693c419d4263f73f71863ea0829acff5760e9ae59389dbecda42339efd65971d227e3172a68a1fadb51dbee3500712ea52

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
a11d70b6ea3e87000d3d505d5197a232

SHA1
aa48527e4715c1bf4e7ad079ae35686a1b08e223

SHA256
41ddaacaefe1aa29294201cec29094c5002ff526262ff832746d2eace234dece

SHA512
9e7d40059947aba283b8fc2b879edab568f84d78628d9b04ad8717db2f59286a1e37f25eb7f9098675013cf38ab4d81340b947081399f68c1434a34bca7ab63d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
6063da88c106bd0028c250948b6a2d44

SHA1
d9c4c5700d4fef7dba9b49791cb3de2dbb4afcbf

SHA256
8e782704282fd45eb7761f57c6d007b00164942afe8d5d4ba144a59686a2c9ff

SHA512
802de548efa48c0ad05b6aa17906035fa680cb9b915cb76771874b15f316ab75fef6edc52a78f8b264337c248398f56dce52957b9fc7bf435f2af777a1684c4b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
6f5e2f0fe99313cfcb4e19a0f6e1c9b7

SHA1
bf21f871578454aed02989dc9029728a0d727466

SHA256
abce55041f85b043df82360ae4ea0d0060520b350176037eedb049de9cc8c2e5

SHA512
cc2c43bc0fb243a36076158faff82330c7618b3f46ae1ea6c757f60aa2714cacb27073a17da86c6f43e3bfdb178e5d530ac1d35c910a0de22acfc3a6260e93e3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
e9100f68715fe7a12bdd78a93949c790

SHA1
903d7f171f691a0370633bb267a0e1a279015c1e

SHA256
c0ee23c99cd4bd07c3a214c54d4c6007cbdca21660e37b7792e7d048be64e20d

SHA512
bcf066e22e7c7eace5b051186defa95df598929cee833632c4ebc601eb202a1d859f46945ccf7a87328365e1feb9c67e170371573ff96bdb0b6c59cd8c5538e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3910952db5afe647cf3e03d2b9887f78\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
6ef55f2a682a9a71f6351e223b046da2

SHA1
df9fefcc0da33a211b094bb8e97c3234cc5dfc9d

SHA256
5631d0bae9efe73abecff7abe7609a35b0f5bb87799cc29bb7bfa29354bfe627

SHA512
9b80482b19688e858fc724f46a96230e80ac3df7015a9c039570641b1b079431fc1b99feb371840149fbf7e79611da6aee16ab5c682ae726a70ce4547f820c38

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\525025517cd26beae4329f51bd735f21\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
1d9b48719050e3a8bb232d92fbb623d3

SHA1
3a9d2164d429b46d7eaaf0bee9123ad6d728c0d1

SHA256
e3ac43a753a1ddfb61a216be3790663374a4cc50f02f14a3c1a706e55160d7f2

SHA512
6871c99b87a5a2450c6fbf78e3cfbfcd48b19ca0c6690af898637f690d60e1da5def2f204c4dafe2ff631dff19298ee60f810fc96a3c4c11aa4fbcec0d76ae3c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP585D.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll

Filesize
83KB

MD5
c646e2156891f5771fa5f87d9491fc65

SHA1
ec53f559aa42c9f89d45bad794f7f6cb64c27517

SHA256
02ae45b89b84e32c100b6da8070a7f9a15777497c9c250632fd1cefd390f8c80

SHA512
071016fdc6a77bcb14aeb4ee68a4e8a995eca7031a0e02d8eedd798136fc5fb7df885ba887bf1caf68e9c0e3cbf159484a44ed7b104cf26368df108453d584ae

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
2726e490511fd76090918eee3b460183

SHA1
ac77209ddef26cae01f38b459e2fcecb9d24719a

SHA256
004a34d63b0c8cd15b54dec1e08fa3ecdccf2a78d156ca7f8f371ab7f2151105

SHA512
79b4fc6e0a614015ba1973ed52147a909bfcc3309e0489a669c809466a03293934e3e6e534ba62f5e02dc1c8c1bd88c04eb5910776bef8e18413911b908748ab

Download Submit
memory/240-73-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/240-71-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/240-65-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/240-329-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/400-558-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/400-573-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/436-892-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/468-863-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/528-548-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/880-815-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/888-747-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/888-726-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-439-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/908-424-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/940-330-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/940-81-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/940-76-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/940-93-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/952-683-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/988-695-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/988-717-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1040-105-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1040-104-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1040-358-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1040-99-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1080-532-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1112-522-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1112-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1176-31-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1176-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1176-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1176-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1176-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1208-691-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1208-694-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1248-401-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1248-407-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1288-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1288-381-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1324-404-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1364-576-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1364-562-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1396-812-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1404-427-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1628-291-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1628-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-776-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-786-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-295-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-273-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1828-351-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1828-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1832-844-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1936-474-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1972-834-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1980-664-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1980-513-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2040-757-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-638-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2052-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2184-661-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-448-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2188-452-0x0000000003C00000-0x0000000003CBA000-memory.dmp

Filesize
744KB

Download
memory/2188-463-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2236-120-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2236-379-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2268-331-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2268-342-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2308-451-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2324-380-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-274-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-245-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2352-57-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2352-51-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/2352-50-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2352-288-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2388-502-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2532-109-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2532-85-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2532-91-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2532-95-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2532-108-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2572-733-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2644-479-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-620-0x0000000001EA0000-0x0000000001EC4000-memory.dmp

Filesize
144KB

Download
memory/2652-613-0x0000000001EA0000-0x0000000001EBA000-memory.dmp

Filesize
104KB

Download
memory/2652-615-0x0000000001EA0000-0x0000000001F44000-memory.dmp

Filesize
656KB

Download
memory/2652-35-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-36-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2652-623-0x0000000001EA0000-0x0000000001F06000-memory.dmp

Filesize
408KB

Download
memory/2652-622-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/2652-621-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2652-240-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2652-43-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/2652-614-0x0000000001EA0000-0x0000000001F2C000-memory.dmp

Filesize
560KB

Download
memory/2652-616-0x0000000001EA0000-0x000000000203E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-617-0x0000000001EA0000-0x0000000001F8C000-memory.dmp

Filesize
944KB

Download
memory/2652-618-0x0000000001EA0000-0x0000000001EB0000-memory.dmp

Filesize
64KB

Download
memory/2652-619-0x0000000001EA0000-0x0000000001F28000-memory.dmp

Filesize
544KB

Download
memory/2652-612-0x0000000001EA0000-0x0000000001EBE000-memory.dmp

Filesize
120KB

Download
memory/2652-611-0x0000000001EA0000-0x0000000001EAA000-memory.dmp

Filesize
40KB

Download
memory/2664-641-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2668-497-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-321-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2680-354-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2820-902-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-98-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2884-19-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2884-22-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/2884-13-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3012-873-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download