e8296f0c9a11f2b4946cd50439c8f23ea68cf827672cd7dbfc7be44ee7013510

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3771d4c5edbb7b165a5d1c003b1510N.exe
Size

2.3MB
MD5

0b3771d4c5edbb7b165a5d1c003b1510
SHA1

3b16da8cd37c43fea488baa1498ac599efc35fca
SHA256

e8296f0c9a11f2b4946cd50439c8f23ea68cf827672cd7dbfc7be44ee7013510
SHA512

e08a0ea6bebb83f0b3447882ad641ed10c8a3e9b068ebf209126bf855847eb609b988bfb1e89d69a20859ffda9cb45607cc5775b113f53049e6f3de684c1129f
SSDEEP

49152:/aMQVSJOl8iL+WhVNb+y4yo7TvIT4wpHLJE3jM2ce:yMMSwE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2840	alg.exe
2660	aspnet_state.exe
2680	mscorsvw.exe
2676	mscorsvw.exe
1400	elevation_service.exe
2972	GROOVE.EXE
2976	maintenanceservice.exe
3064	OSE.EXE
1364	mscorsvw.exe
2580	mscorsvw.exe
2176	mscorsvw.exe
2148	mscorsvw.exe
2944	mscorsvw.exe
808	mscorsvw.exe
1480	mscorsvw.exe
2060	mscorsvw.exe
572	mscorsvw.exe
1012	mscorsvw.exe
1672	mscorsvw.exe
932	mscorsvw.exe
1600	mscorsvw.exe
2308	mscorsvw.exe
2828	mscorsvw.exe
2356	mscorsvw.exe
2724	mscorsvw.exe
1960	mscorsvw.exe
3056	mscorsvw.exe
1572	mscorsvw.exe
428	mscorsvw.exe
944	mscorsvw.exe
2512	mscorsvw.exe
2432	mscorsvw.exe
1080	mscorsvw.exe
2492	mscorsvw.exe
1716	mscorsvw.exe
1660	mscorsvw.exe
2168	mscorsvw.exe
1804	mscorsvw.exe
1936	mscorsvw.exe
1648	mscorsvw.exe
864	mscorsvw.exe
2552	mscorsvw.exe
1180	mscorsvw.exe
2244	mscorsvw.exe
1436	mscorsvw.exe
2452	mscorsvw.exe
2176	mscorsvw.exe
3032	mscorsvw.exe
2280	mscorsvw.exe
1948	mscorsvw.exe
1952	mscorsvw.exe
1572	mscorsvw.exe
2544	mscorsvw.exe
236	mscorsvw.exe
1676	mscorsvw.exe
2260	mscorsvw.exe
2812	mscorsvw.exe
2052	mscorsvw.exe
2352	mscorsvw.exe
2956	mscorsvw.exe
632	mscorsvw.exe
2716	mscorsvw.exe
1748	mscorsvw.exe

Loads dropped DLL 45 IoCs

pid	Process
464	Process not Found
1804	mscorsvw.exe
1804	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
2244	mscorsvw.exe
2244	mscorsvw.exe
2452	mscorsvw.exe
2452	mscorsvw.exe
3032	mscorsvw.exe
3032	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
1572	mscorsvw.exe
1572	mscorsvw.exe
236	mscorsvw.exe
236	mscorsvw.exe
2260	mscorsvw.exe
2260	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
572	mscorsvw.exe
572	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
1976	mscorsvw.exe
1976	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
568	mscorsvw.exe
568	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
2072	mscorsvw.exe
2072	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	0b3771d4c5edbb7b165a5d1c003b1510N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b9fb873dd264f17b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30A2.tmp\Microsoft.Office.Tools.Excel.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3B4.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDF86.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF1CE.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE466.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3DDB.tmp\Microsoft.Office.Tools.Word.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE225.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC4D5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC958.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCBF6.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD24D.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2468	0b3771d4c5edbb7b165a5d1c003b1510N.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeDebugPrivilege	2840	alg.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeDebugPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe
Token: SeShutdownPrivilege	2680	mscorsvw.exe
Token: SeShutdownPrivilege	2676	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1364	2680	mscorsvw.exe	37
PID 2680 wrote to memory of 1364	2680	mscorsvw.exe	37
PID 2680 wrote to memory of 1364	2680	mscorsvw.exe	37
PID 2680 wrote to memory of 1364	2680	mscorsvw.exe	37
PID 2680 wrote to memory of 2580	2680	mscorsvw.exe	38
PID 2680 wrote to memory of 2580	2680	mscorsvw.exe	38
PID 2680 wrote to memory of 2580	2680	mscorsvw.exe	38
PID 2680 wrote to memory of 2580	2680	mscorsvw.exe	38
PID 2680 wrote to memory of 2176	2680	mscorsvw.exe	39
PID 2680 wrote to memory of 2176	2680	mscorsvw.exe	39
PID 2680 wrote to memory of 2176	2680	mscorsvw.exe	39
PID 2680 wrote to memory of 2176	2680	mscorsvw.exe	39
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	40
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	40
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	40
PID 2680 wrote to memory of 2148	2680	mscorsvw.exe	40
PID 2680 wrote to memory of 2944	2680	mscorsvw.exe	41
PID 2680 wrote to memory of 2944	2680	mscorsvw.exe	41
PID 2680 wrote to memory of 2944	2680	mscorsvw.exe	41
PID 2680 wrote to memory of 2944	2680	mscorsvw.exe	41
PID 2680 wrote to memory of 808	2680	mscorsvw.exe	42
PID 2680 wrote to memory of 808	2680	mscorsvw.exe	42
PID 2680 wrote to memory of 808	2680	mscorsvw.exe	42
PID 2680 wrote to memory of 808	2680	mscorsvw.exe	42
PID 2680 wrote to memory of 1480	2680	mscorsvw.exe	43
PID 2680 wrote to memory of 1480	2680	mscorsvw.exe	43
PID 2680 wrote to memory of 1480	2680	mscorsvw.exe	43
PID 2680 wrote to memory of 1480	2680	mscorsvw.exe	43
PID 2680 wrote to memory of 2060	2680	mscorsvw.exe	44
PID 2680 wrote to memory of 2060	2680	mscorsvw.exe	44
PID 2680 wrote to memory of 2060	2680	mscorsvw.exe	44
PID 2680 wrote to memory of 2060	2680	mscorsvw.exe	44
PID 2680 wrote to memory of 572	2680	mscorsvw.exe	45
PID 2680 wrote to memory of 572	2680	mscorsvw.exe	45
PID 2680 wrote to memory of 572	2680	mscorsvw.exe	45
PID 2680 wrote to memory of 572	2680	mscorsvw.exe	45
PID 2680 wrote to memory of 1012	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 1012	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 1012	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 1012	2680	mscorsvw.exe	46
PID 2680 wrote to memory of 1672	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 1672	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 1672	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 1672	2680	mscorsvw.exe	47
PID 2680 wrote to memory of 932	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 932	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 932	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 932	2680	mscorsvw.exe	48
PID 2680 wrote to memory of 1600	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1600	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1600	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 1600	2680	mscorsvw.exe	49
PID 2680 wrote to memory of 2308	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2308	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2308	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2308	2680	mscorsvw.exe	50
PID 2680 wrote to memory of 2828	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 2828	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 2828	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 2828	2680	mscorsvw.exe	51
PID 2680 wrote to memory of 2356	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 2356	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 2356	2680	mscorsvw.exe	52
PID 2680 wrote to memory of 2356	2680	mscorsvw.exe	52

C:\Users\Admin\AppData\Local\Temp\0b3771d4c5edbb7b165a5d1c003b1510N.exe
"C:\Users\Admin\AppData\Local\Temp\0b3771d4c5edbb7b165a5d1c003b1510N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d0 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 254 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 24c -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 25c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 280 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 250 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 290 -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 264 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 264 -NGENProcess 2b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1cc -NGENProcess 2a0 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2d4 -NGENProcess 2b0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2b0 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2b0 -NGENProcess 2d8 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2ec -NGENProcess 2e0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e0 -NGENProcess 2e4 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2a0 -NGENProcess 2f8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f4 -NGENProcess 304 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 1cc -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 2f8 -NGENProcess 300 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 1cc -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 314 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 304 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 324 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f0 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 318 -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 32c -NGENProcess 324 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 318 -NGENProcess 328 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e4 -NGENProcess 330 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 330 -NGENProcess 32c -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 328 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 330 -NGENProcess 338 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 340 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 340 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 34c -NGENProcess 338 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 334 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 344 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 334 -NGENProcess 350 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 358 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 358 -NGENProcess 344 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 344 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 350 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 350 -NGENProcess 368 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 368 -NGENProcess 32c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 37c -NGENProcess 374 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 37c -NGENProcess 378 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 384 -NGENProcess 32c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 38c -NGENProcess 368 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 38c -NGENProcess 37c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 378 -NGENProcess 384 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 358 -NGENProcess 354 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 398 -NGENProcess 37c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 384 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 354 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 37c -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 384 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 354 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 37c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 39c -NGENProcess 3b4 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3bc -NGENProcess 37c -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 384 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3b4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 37c -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 384 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3d0 -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 37c -NGENProcess 3d4 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 3d4 -NGENProcess 120 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3cc -NGENProcess 3d8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3b4 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3cc -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d4 -NGENProcess 3b4 -Pipe 120 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3f4 -NGENProcess 3e4 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3d8 -NGENProcess 3bc -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3ec -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3ec -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d8 -NGENProcess 3d4 -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 408 -NGENProcess 3f4 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3f4 -NGENProcess 3ec -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 410 -NGENProcess 3d4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3d4 -NGENProcess 408 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 414 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 41c -NGENProcess 404 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 404 -NGENProcess 3d4 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 424 -NGENProcess 414 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 420 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 3d4 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 430 -NGENProcess 414 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 424 -NGENProcess 420 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 434 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 404 -NGENProcess 41c -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 440 -NGENProcess 420 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 434 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 44c -NGENProcess 41c -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 41c -NGENProcess 428 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 420 -NGENProcess 454 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 454 -NGENProcess 440 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 450 -NGENProcess 430 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:1948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1400

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2976

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.5MB

MD5
5b91cfe80e4c69c84fc618b8c3e06824

SHA1
cc4695f17bb1842e792fdd45c24c357636d62a6a

SHA256
d6123ea1862dfbb4d09f52ec7cfa2243dd05bc499c0e256c9dc6541dca24742b

SHA512
20f0ef1fd587918e9f42b6aec0cc5b1121cca385eccf26ac80843560547f89f64fa0467f3eab1c1d07e653a9f8ba54fe3ede13b50e4a69e67cf7a802c519d345

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
914b0e70c75fc61deabe88a000628ab2

SHA1
59e37312b5f10110a2d0ed064fc425b67056f91d

SHA256
cd644929ac587bec4527e405a824353be30ef0130067d0fa4bf4b19e53d60c83

SHA512
1b8c73934db90e337c1f4a98450acb91a871fab18020319026a9189cae760fe4fddf1d723ef27a3a9721aff2a552b6081ffa502ff84a228953c9ac6e39fee880

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
caee9f81cb2f32048e3c78205523a546

SHA1
ac0c938dc3d6259c1759c5f1ac773bf28d737f47

SHA256
f51b69ab7274ebefee8afeec8affe1a396f325883396084ea243a46f7156115e

SHA512
f29aefe4e18e3bc1a23276275efebbdbb895534a2c94b96188e8a9f71ec52ff1418c63592bf231cbbade47e35925714b3155c710c7bfc996bf292d3a45cf47de

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
b77f5f541083bbf36e725b1272c9d265

SHA1
4b44a5586232e87506b260459b599acfff1e1c57

SHA256
05c19e4e42786ad5e2995abab24d041138d8ccdc9c694b8ffffb9a4fd2b00152

SHA512
17252b9c527515a08070105ede0521ad87eb2ee62c7a333b78926b1cbb8dc05878c0a3953fc92a61bedc979e75d56eb93e51486b3b3a6b89669476da4a3ae9b8

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
8a5bc0b7e19931dd33b3021195fd2b9f

SHA1
6495be1feaa4303594cc14fe18ff38830101c6ab

SHA256
efcdddc14d5aa6eb442a9cfc374597086dcdc36e068878b271d055e67c25922b

SHA512
44d3d912de215a96d6ff989539f03e0808211d90fe72cbac4101eb9f21c671111b45fe5f9bdfe883c3e3708d9900f938d04bf38c5be896f94731bad3298a5944

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
46c123ea8184e1bc44225e200f900c32

SHA1
2443da90a68d55d5d4983127050af382a7d7c8de

SHA256
f4ec4bc7b360e08fe48718bac6a3c8d30918741f7b24df6c3f66a06082e10c87

SHA512
147f39cbecdf33560eefd5ab48bdd28a0f87a99e169786bf743e2cbdc8b55805c013720457e0bd62ecf42fb1963122dbf4a57716e11764ac212cc473d414f810

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e035c5a04ca520c1dfc5c5e8325ff925

SHA1
d454a9673dc822dd167357cee6117b7fe1b12ba3

SHA256
bc28ca731e293b53e8fc5eed3c96dbc192f928bc229998e55bff15f24d16977b

SHA512
e0e96cdbdefaec032ee4ffef0803a41a6473e70d3ec76880ce79efab0d1f66a1d4604dcff161c7ddbc523a6cb92695ad1b1cdffd9d05feccf9227a0ea7a2a5e8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
7bd068dd7d7d790afc541aa472aa1e0a

SHA1
6b72d5edec0c8a2d0b2bbed05c3173a29cc1a212

SHA256
47e9bbba336800985a54b202c766fac97d4eef64d4a239328b1e6355f0bd6a7a

SHA512
ffa39ce741bde68942c70b730a20e19df501fd1431bab1bee3bb9158d959c25831e0592bbb867b75678033a81c6286a746d70596850c4a99d2a451f9987d6387

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f877198bdeb268be581d0898fe82b2ea

SHA1
295d6a57bce81cd6afebbba4bfc8912d7fc7484c

SHA256
94d6e3362a428c3f0843fe55a345bbb083b1f080da614d033eaa803d844bca3b

SHA512
3667acbb8d09c51793135826a4a0b96ad143cdeedb7b07f3a03dc3e0648d272e72015b839fa325ce45931a55d81462764f978c11cc152be8c020ad8060f1f35a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e6c54daf00c65afb42832d283dbcb7b

SHA1
16f4cd5a91a9402c26584881fe35586ce1022b5a

SHA256
df6cbec6c96cf7993e4764d586cf39227149c19211e4076b9f71231a6dbcb831

SHA512
ec7e5b73d8cb7e03590bb0c932f4e0e1a6760bdc0d90d090ab367246545386e7d8e733d1823c607eab73b1c8423f29c20e5250b52c949f1c90c58ce0839c5ba6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
acfab503651ea33938c94c6fcfc30d9c

SHA1
9fde4d60879b752660bf53ccb1cfa2ad9749d525

SHA256
360a1536ad569b3b999ca96ae0d8594a0af10200e3fb25e60f1841960acaa9e2

SHA512
f8073175afff31fd2ec5b1a3568526feff2d8598d1bbd2502a6324506dbd48f659cf80893de59eae53934dd84e810ae25470733dd2eed0c89c1600b923adec00

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5edab7399d0522c928e371137ecd0a70

SHA1
ecb7173d481ce9035718877b2e41452372eb73c6

SHA256
02ffa41ade591914ec06b64c80aa3d986946ea8250b485fe546fe782da6decf1

SHA512
4bf2151fff7a5a5cb32d467950dd81ca063c1d25adef0bbf5c00816cbde177e852d6974554d065c3230af081de3dc70ae22cbf843b7b259385a486d24929d778

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
3ea5011abe3cee151cb2a788aa70ebfc

SHA1
bf8ab74eb7aa51b2d42198b86736a239bfb2e42c

SHA256
904c2903cca255155d615cb5683983d8f4450ee116ec25fd7352565455cfc1ab

SHA512
0fc7ee949665934129736b0c4085f10f46702a1e52f265a9ebdb76c71f6e175681c8c0350eb7bcd3dcf7cb5a82ba28368e12353a62c7f567cd0a86c4285700d7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
679f8d1902ed16f0127e8c66f4c3d9a7

SHA1
be9c80334da14f87e8176aa379fb2e5be3009b86

SHA256
b62608a14b131598e36925db8816dad6ab03d1a0d998daad2c30ddd74cf63d78

SHA512
f1a6f0cb89ab71f98b8d2f9677e9c1fb42f01cc980ae5adce9fceb9d4082b571d159b64fd00e1986f2ac48fd64528d0bb4edcbfa1d7a0781011ffb4bca6c64ff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0e387a91f68221630238e9ea8142e3ec

SHA1
328bde826466cf4c91095bb4d3bd0377d7c7bfe2

SHA256
79deef4984c1d4daea1fd9e848bda3e82816580f6932f93bfbeb0958cf18b179

SHA512
3c7e4ccf5f9df1c8bb9a5aa7d38f9a00a2f5dc39729541dceff684b5fde460543919f2d661db7c9f032090494713893d7fb25576e77ff8b5141cfd6b3fbab695

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
f8ff53a746582e2422cb6bfa6c4ed9ff

SHA1
e0f7e5a9190925e566d22fe22a97bc218cab71e4

SHA256
3b063a4e25f783ebcbd693d68bba2973f86348ab5c1b0fc4a37c635c7234bb5e

SHA512
3246e835b7c0b25c190d95eba0079da4058a891da3b26dbe9b77ac14fe940e03253c781f817de8655647eca490a72f455e5c5cc3e04a2b3f958e499a50f5a669

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
83880eba431a60d9f7837db28742f6bc

SHA1
373dfad45bf866dec3abd94fc2dcb29de44d444c

SHA256
8a630d051b6c5edd0a26bd39e7ab5f39f32a5b3cb6275ae9d8dd96f548b2ecc1

SHA512
098a0c24f735e219a744cd24d85e4c831d16ca684ac3bcc9719722afeffaf722bb888010d4762ec9e98f941239b6639cafa476fc61c8ef617aed238f9110cbad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.4MB

MD5
ddbc3cb4eae7a876901c5f3558e8cdf2

SHA1
f4fa179f93c4c3d629bb348b4fa5b6433d323835

SHA256
bcbcb19f313c925b474a15d8298c19c8e9d47605b4efe60dc70ad9b7bb14a597

SHA512
f9c128813423f2c9599d05bd4916a136d5eb39b3f812bc0110b24b834458790c3212d2cb5fe3bc7031b042f8f066ac39b78d8ffa01acacbb5d6130d44dbf3f59

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.4MB

MD5
2e52e966824a8c988c3b2aeccfe45cc1

SHA1
cbd6642530ca12f3d89b031ffb5097cb4e12adf3

SHA256
61c64cb2daac4f2bd7bb8fa767603034a0d9ca6c12a27509e1784aa7875f820c

SHA512
ef480f531db0bca2661d49168e1994d7ae6da2f3e3be7e7b2423eeef637aa265ca4dc890512b932a3c536e3cd1683110e22c9cc1ccbd91ab1b5cdbe5ecf24cb8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.4MB

MD5
5e8294d6048af151ceaf8508507a2ace

SHA1
f2cd1d05cd9017586dede9e459637c91b6eec7cf

SHA256
1e951e089c3fffb54a6a5d0e35ff487c8ec3a654c0ff3dea99c3269380c4f4b9

SHA512
b9f3e954690fef852a264d3760a697118f1ee8e19859246a87decbfc9548e368de778b18f892151b0f14b162483b21890a77b858ace2240d0ed5da2c22dc9474

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.4MB

MD5
404be84dd1684d854573db32d5eec289

SHA1
e5adad5ea162f9ca71a1b0c597b37ec7c14e5a2e

SHA256
5211cdecc2bf11fde1f562345328380aa413c4af7786efc431eb7709dbd8fe59

SHA512
3fb37041ff0bd521a50f9c56a2887cf8cbc97bb38e633db305d8a2e02b7c57a426059c7f26e9084797e02528f39b7ddc1610de848c793f4010f24a9d08e37964

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.4MB

MD5
f914a59aa9e7c76b461b8b0c167153df

SHA1
b77bae76bb555bcc73af1fc721f0ecaefc326117

SHA256
9f7aa1f7f8db0e2a3ea2a7c91f2d5317b49cb6a8a40bfc9c7439a544d8cb1ed2

SHA512
badffd292173f599f869f3eb467640a4caac81669345952e4b78189b2c00719e58e119afbdd6ebc94f3a4137d66ab7e895b3b9976583b837167b2d6d0ccb7ca0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.4MB

MD5
bc37fcfd48f0ff277c17ca2a09d2be10

SHA1
2f3df7392a882c3509b079a2c7f338bd3362427c

SHA256
dbfb1bdc09352f1c15d8c5f2fe11f3be0f17076a88662d4d6871a4a2f4c56b6b

SHA512
fc80f211c69b9b26f41ba6995f23e0888c1d52f8ceecd2890d99314c9fd797417a5829bbd8d95d2c3415a36db53b63be98ebfaf4855dcb8ad1869b7a6c608791

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.4MB

MD5
ccbb62b00e5ab5aedcefb863d894ac0b

SHA1
1471abf2f6bf136ee3f11f56a145e2cfcfd68a90

SHA256
34a41fbad485f2fc76fbf125b4f069128cfbeac99b007ffd9826a24be142bf79

SHA512
e4b0fe9db300294bcfb0e87325bf2e958c80fb2405a425fadb020e01f70045319328425861946dfc87af7c94a1ed8732b0e784c59721d51e815593d64d4f03df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
1.4MB

MD5
f1e38ca48f13284be90d8a9b6136707d

SHA1
d80a4baae85979006334bfd2318e6749b2a3b9b9

SHA256
427581fda9c1c0e7231075027db1659b5d9dd69d0fd8efbfb2fa7510c7c78824

SHA512
d34833ec6754c1b2e1a87979a4bebc1b1e04d06141c854a20b3f69289a525f633116ba07fde22607b1ecd6e617a078b2af3a57fe44fc3b02e4c2bb7cca2ae844

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
1.5MB

MD5
0deef1bb5101ece87292aa8210e4c6be

SHA1
008205bbfaa9997ffb657f80b2b47e4cdff98257

SHA256
b88aa34edd2989026e8e50d7fb918d98f5788f3e6489cbb5e894a48733a89e6d

SHA512
c0f3690bd249c93a7045afd3fd46fd829d1fc0e9812e231f89d06b35eaa25cb8eee3b6f784f20f9f81cad810183b70f608580f77b16feaabe79c515ae850548a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
1.4MB

MD5
b2725f850c406b8787b19331285a3460

SHA1
5d5a3e0e77fd65bca3b1dd3ab623e03125112a0d

SHA256
38bac537058560cb1fca342a5f77909799bff290133978c6b16990d5408fd2f3

SHA512
58d2aff45ce514a184095965566baffc70c447516521770c7253977c1341e49f5cbac826ca13d6fda25808da414e67004d1c3f1feabe8dabcb7779fc384f17aa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
1.4MB

MD5
2b2535360be69c603dd9616594965939

SHA1
0975e2b4569efe5fa9f3dadf5bd3fdff375864e9

SHA256
8b666590fdb84371f4e623e3a681abbca649b6f39f0b37da68d8c3ef87d34d95

SHA512
88ac2d3138a0436f0fc4726473c30c74e2e546e19f131c71f96218173493da2562b111693426dae5b299c24504c4e4d03c13d0becea94931ca90a9646c80c4e4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
1.4MB

MD5
0c734980964858deea6e86ed6f59876a

SHA1
1b497f9654965133ca3b1b0e10be187829ae0aff

SHA256
b11be75f210bdc7daa895c4f91e0b2e47c7016496a892ae1b69e289699e2cd4e

SHA512
06f46d3485ac6a790945a4b45e6cbfc206a9f7813a5a7976285319c5dd5539586de907641134af95b534293733d89a2e9bea07b8f56bb7a6f933d717aaca50f6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe

Filesize
1.4MB

MD5
d4fee2a7dd25605fefe11e6843992b1e

SHA1
77f06f4aaf8a0c4c2d213a2c587999585d2138b4

SHA256
3c2ca583a9da5cb9725cfdc7ac264c4b41a20a8a4029ecf7979406c23c93f08b

SHA512
af2f45d11bc14d544420da940631f6453909c10213bbc9b72a86a936650605e173a6a22a6b925d2676b787991625734aa6df76728af2055c5d47607466c1c95f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
988ff8662ded9150ab039f51635e90df

SHA1
69cbbaf5db3b410d9a8d5aaef3ec26889cc920ef

SHA256
e4cfc5817e8f41af78bb7cc9cc5e4159cf4816f996032467cd5b5b6d29620f05

SHA512
b56d2ab452cafd3e9de290ca6790f1c5673c2f084435920aa76bdfd6e58caad8aa00fa52e6deb9ff5f170881d24535667c63dc28d10345e63acad5537f956078

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
20d4cac6e4b1dfddeb741e715765281a

SHA1
d40e297f99e690857247e38c9094b677e0b599ea

SHA256
bcbeff811ea7b2e058e3358e00d0d247b9de0b8ebc2c9e2030e4d5544e554932

SHA512
28a4550812a0b90f9148527081c5a96d6941f982f38ea324e1a8e5c7e37c8c9aadebb1252198c34ede14e3603b7df52d8adcf4d0d068160df72174b2a817215b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d6b623e4ae9410fcaee1c5abdf94299b

SHA1
3a4a4540b70ab5b17de1f758470da398ca5c56e0

SHA256
ab9af64d403b864537910ff3446a92bdc669afaca61dcf1b0d941fd7b1920fe5

SHA512
380e7f36b1a812d8183af6f0f6f2cb8d71de60754ebf7621c121ae4de12b19df91e7bfd7ccb68f8abd3e3219b0415211ca13c6ce199ec267e7b39dd948c06995

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
53583699032b27997e3c70b0baba339c

SHA1
ec8615f29d85a089c7edf4a62ca5e46a7271b6d9

SHA256
5bc8bb4eddea8c4f6697bf2dbefcd748b4c14aad8aed756e348439d8da8b06ea

SHA512
486445eeece14c895787996f02669141fec31bd298df08d9967eca45b127d48883026b2ca7f098732d0547543e82a2fbd6b0918b7c0f54ecd07661c35c357c81

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1e888b690a7adf880a4e87a12fe3ad63\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
72678fbc136e463adab79fa4730399ce

SHA1
76a25136d298ced3997c9046a24cacc70826f738

SHA256
279a834b50d10862426109db7f41d1ff7ec354badb08db9b63a706a92c26d666

SHA512
e12c892e6fbef0a332ab65a9f7cf281eec9e5f8a0a62d96fe5ef18ded9049252447cfdd0fc50273738f909580f77681af9b725f7dc6592a8c71d79fb8a382acd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c9d7a1c69c969fa7abc997b7881a73d5\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
b953ec5003213f852c36704912509add

SHA1
16f7aceea1cdaf6eb67b749815d5e118ee8cf27d

SHA256
0736b2f429425f262ed1fde009586ca5415a9e04ec950e4c1ccbcb21b6eaa4a5

SHA512
5734f552d856ba3e6f8926628fe3f4d4217d3ad3d97dd8a090a28b8622a8fd7e8a9a3572e391c05556b512b20cb268b19b09989331ce3426b97d427f5dc02f5a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f505a6745f449d15c61820724e9e20bd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
9877ee40b313082689d1cbad4420b57d

SHA1
fb8b8a3102c8f687f25cce510709aefe3c7c315b

SHA256
ae4c7d567cea1219ad554f24e9e0292a9d52469d2ed00f435b647eaee7765f1f

SHA512
1cbf775f26e0cbf088132e8a25ebfb9cadd4f38a03309f548ff15b180302cfa4e8ac7397be3a41da5f3dbc12547d01bc9075c3e149c6d77b03fb4362db90aa36

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.4MB

MD5
2550607ca83483a8e97dc7b70df97aeb

SHA1
82f8cdb4dbee027b1b7b2d3d02e78420e17409dd

SHA256
b6853d7a9e2ef9aece956d1180e23979c06aea00ead4b77c3c7b3d1add11346e

SHA512
b366f7ca955122859cfe50aeef652a1d1bc714cdef0f4bbe6d2a0339ec1b66ea2fb25a49fc1abafd0dbf4ec5a7be9f2856160e92fec9aa56386eb4283d1fbc2c

Download Submit
memory/428-533-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/572-374-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/572-387-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/808-338-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/808-350-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/932-424-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/932-412-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/944-544-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1012-384-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1012-400-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1364-241-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1364-206-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1400-324-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1400-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1400-67-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1400-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1480-361-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1480-349-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1572-522-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1572-511-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1600-429-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1600-421-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1672-411-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1672-397-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1960-485-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1960-499-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2060-362-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2060-375-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2148-301-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2148-313-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2176-251-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2176-302-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2308-449-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2308-438-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2356-475-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2356-463-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2468-1-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2468-13-0x0000000076E26000-0x0000000076E27000-memory.dmp

Filesize
4KB

Download
memory/2468-12-0x0000000036E10000-0x0000000036E20000-memory.dmp

Filesize
64KB

Download
memory/2468-11-0x000007FEBCEA0000-0x000007FEBCEB0000-memory.dmp

Filesize
64KB

Download
memory/2468-10-0x0000000100040000-0x0000000100050000-memory.dmp

Filesize
64KB

Download
memory/2468-9-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2468-17-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2468-26-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/2468-0-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/2580-254-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2580-240-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2660-35-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2660-203-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2676-57-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2676-51-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2676-250-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/2676-59-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/2680-612-0x0000000001DF0000-0x0000000001EDC000-memory.dmp

Filesize
944KB

Download
memory/2680-609-0x0000000001DF0000-0x0000000001E7C000-memory.dmp

Filesize
560KB

Download
memory/2680-618-0x0000000001DF0000-0x0000000001E56000-memory.dmp

Filesize
408KB

Download
memory/2680-617-0x0000000001DF0000-0x0000000001E1A000-memory.dmp

Filesize
168KB

Download
memory/2680-39-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2680-238-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2680-606-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/2680-607-0x0000000000EC0000-0x0000000000EDE000-memory.dmp

Filesize
120KB

Download
memory/2680-608-0x0000000000EC0000-0x0000000000EDA000-memory.dmp

Filesize
104KB

Download
memory/2680-44-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2680-610-0x0000000001DF0000-0x0000000001E94000-memory.dmp

Filesize
656KB

Download
memory/2680-611-0x0000000002070000-0x000000000220E000-memory.dmp

Filesize
1.6MB

Download
memory/2680-38-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2680-613-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2680-614-0x0000000001DF0000-0x0000000001E78000-memory.dmp

Filesize
544KB

Download
memory/2680-615-0x0000000001DF0000-0x0000000001E14000-memory.dmp

Filesize
144KB

Download
memory/2680-616-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2724-487-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2724-474-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2828-451-0x0000000003DA0000-0x0000000003E5A000-memory.dmp

Filesize
744KB

Download
memory/2828-462-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2828-450-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2840-27-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2840-31-0x0000000076E10000-0x0000000076F2F000-memory.dmp

Filesize
1.1MB

Download
memory/2840-156-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2840-30-0x0000000100000000-0x0000000100243000-memory.dmp

Filesize
2.3MB

Download
memory/2840-20-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2944-336-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2944-322-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/2972-93-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2972-337-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2972-83-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2976-94-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2976-96-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2976-87-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2976-99-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2976-100-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3056-510-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3056-491-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3064-103-0x000000002E000000-0x000000002E254000-memory.dmp

Filesize
2.3MB

Download
memory/3064-104-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/3064-371-0x000000002E000000-0x000000002E254000-memory.dmp

Filesize
2.3MB

Download