e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
Size

1.8MB
MD5

3e1ecb7f6b2083711edf7216709ee3dc
SHA1

17a205c7e7be2ab3b1978f8d4797eeb58378976b
SHA256

e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c
SHA512

141e9eb8e4d9ecea4335d0508f0298f8dd90bbdeefce59ce8879f71afa18e3124890b499246cc4d40ff40ccf8a513a2c0a2a213875b21d2786f5f38900a3402a
SSDEEP

49152:Yx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WANaB0zj0yjoB2:YvbjVkjjCAzJJB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 61 IoCs

pid	Process
464	Process not Found
2652	alg.exe
1500	aspnet_state.exe
1660	mscorsvw.exe
2676	mscorsvw.exe
2240	mscorsvw.exe
1072	mscorsvw.exe
1644	dllhost.exe
2376	ehRecvr.exe
1240	elevation_service.exe
1972	GROOVE.EXE
2756	maintenanceservice.exe
2708	OSE.EXE
2532	OSPPSVC.EXE
1104	mscorsvw.exe
2684	mscorsvw.exe
1952	mscorsvw.exe
1000	mscorsvw.exe
2396	mscorsvw.exe
2768	mscorsvw.exe
1592	mscorsvw.exe
916	mscorsvw.exe
2036	mscorsvw.exe
1944	mscorsvw.exe
2236	mscorsvw.exe
2292	mscorsvw.exe
2780	mscorsvw.exe
2536	mscorsvw.exe
2408	mscorsvw.exe
932	mscorsvw.exe
2176	mscorsvw.exe
2356	mscorsvw.exe
1704	mscorsvw.exe
1700	mscorsvw.exe
1764	mscorsvw.exe
3000	mscorsvw.exe
2616	mscorsvw.exe
2828	mscorsvw.exe
2732	mscorsvw.exe
2700	mscorsvw.exe
940	mscorsvw.exe
2892	mscorsvw.exe
2884	mscorsvw.exe
2436	mscorsvw.exe
2984	mscorsvw.exe
1484	mscorsvw.exe
1380	mscorsvw.exe
2376	mscorsvw.exe
3016	mscorsvw.exe
1808	mscorsvw.exe
1520	mscorsvw.exe
2316	mscorsvw.exe
2968	mscorsvw.exe
2612	mscorsvw.exe
2468	mscorsvw.exe
1576	mscorsvw.exe
2000	mscorsvw.exe
2200	mscorsvw.exe
1744	mscorsvw.exe
616	mscorsvw.exe
1528	mscorsvw.exe

Loads dropped DLL 22 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2436	mscorsvw.exe
2436	mscorsvw.exe
1484	mscorsvw.exe
1484	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
1808	mscorsvw.exe
1808	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
1576	mscorsvw.exe
1576	mscorsvw.exe
2200	mscorsvw.exe
2200	mscorsvw.exe
616	mscorsvw.exe
616	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5951ac7bcbc56ce8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_lt.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_id.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_de.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\GoogleUpdateComRegisterShell64.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_tr.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\GoogleUpdateCore.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\GoogleUpdateSetup.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_ru.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C12E5921-F58C-48D2-8296-7A848CE8B130}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_bn.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_ro.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_hu.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM87C6.tmp\goopdateres_lv.dll	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8CC5.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7B09.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9579F825-7B13-45D6-A299-3D2C24FC761C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP95CA.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA1DB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9BD2.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP88BF.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9579F825-7B13-45D6-A299-3D2C24FC761C}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7272.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1256	e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeDebugPrivilege	2652	alg.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeDebugPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe
Token: SeShutdownPrivilege	1072	mscorsvw.exe
Token: SeShutdownPrivilege	2240	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1104	2240	mscorsvw.exe	41
PID 2240 wrote to memory of 1104	2240	mscorsvw.exe	41
PID 2240 wrote to memory of 1104	2240	mscorsvw.exe	41
PID 2240 wrote to memory of 1104	2240	mscorsvw.exe	41
PID 2240 wrote to memory of 2684	2240	mscorsvw.exe	42
PID 2240 wrote to memory of 2684	2240	mscorsvw.exe	42
PID 2240 wrote to memory of 2684	2240	mscorsvw.exe	42
PID 2240 wrote to memory of 2684	2240	mscorsvw.exe	42
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	43
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	43
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	43
PID 2240 wrote to memory of 1952	2240	mscorsvw.exe	43
PID 2240 wrote to memory of 1000	2240	mscorsvw.exe	46
PID 2240 wrote to memory of 1000	2240	mscorsvw.exe	46
PID 2240 wrote to memory of 1000	2240	mscorsvw.exe	46
PID 2240 wrote to memory of 1000	2240	mscorsvw.exe	46
PID 2240 wrote to memory of 2396	2240	mscorsvw.exe	47
PID 2240 wrote to memory of 2396	2240	mscorsvw.exe	47
PID 2240 wrote to memory of 2396	2240	mscorsvw.exe	47
PID 2240 wrote to memory of 2396	2240	mscorsvw.exe	47
PID 2240 wrote to memory of 2768	2240	mscorsvw.exe	48
PID 2240 wrote to memory of 2768	2240	mscorsvw.exe	48
PID 2240 wrote to memory of 2768	2240	mscorsvw.exe	48
PID 2240 wrote to memory of 2768	2240	mscorsvw.exe	48
PID 2240 wrote to memory of 1592	2240	mscorsvw.exe	49
PID 2240 wrote to memory of 1592	2240	mscorsvw.exe	49
PID 2240 wrote to memory of 1592	2240	mscorsvw.exe	49
PID 2240 wrote to memory of 1592	2240	mscorsvw.exe	49
PID 2240 wrote to memory of 916	2240	mscorsvw.exe	50
PID 2240 wrote to memory of 916	2240	mscorsvw.exe	50
PID 2240 wrote to memory of 916	2240	mscorsvw.exe	50
PID 2240 wrote to memory of 916	2240	mscorsvw.exe	50
PID 2240 wrote to memory of 2036	2240	mscorsvw.exe	51
PID 2240 wrote to memory of 2036	2240	mscorsvw.exe	51
PID 2240 wrote to memory of 2036	2240	mscorsvw.exe	51
PID 2240 wrote to memory of 2036	2240	mscorsvw.exe	51
PID 2240 wrote to memory of 1944	2240	mscorsvw.exe	52
PID 2240 wrote to memory of 1944	2240	mscorsvw.exe	52
PID 2240 wrote to memory of 1944	2240	mscorsvw.exe	52
PID 2240 wrote to memory of 1944	2240	mscorsvw.exe	52
PID 2240 wrote to memory of 2236	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2236	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2236	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2236	2240	mscorsvw.exe	53
PID 2240 wrote to memory of 2292	2240	mscorsvw.exe	54
PID 2240 wrote to memory of 2292	2240	mscorsvw.exe	54
PID 2240 wrote to memory of 2292	2240	mscorsvw.exe	54
PID 2240 wrote to memory of 2292	2240	mscorsvw.exe	54
PID 2240 wrote to memory of 2780	2240	mscorsvw.exe	55
PID 2240 wrote to memory of 2780	2240	mscorsvw.exe	55
PID 2240 wrote to memory of 2780	2240	mscorsvw.exe	55
PID 2240 wrote to memory of 2780	2240	mscorsvw.exe	55
PID 2240 wrote to memory of 2536	2240	mscorsvw.exe	56
PID 2240 wrote to memory of 2536	2240	mscorsvw.exe	56
PID 2240 wrote to memory of 2536	2240	mscorsvw.exe	56
PID 2240 wrote to memory of 2536	2240	mscorsvw.exe	56
PID 2240 wrote to memory of 2408	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 2408	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 2408	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 2408	2240	mscorsvw.exe	57
PID 2240 wrote to memory of 932	2240	mscorsvw.exe	58
PID 2240 wrote to memory of 932	2240	mscorsvw.exe	58
PID 2240 wrote to memory of 932	2240	mscorsvw.exe	58
PID 2240 wrote to memory of 932	2240	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe
"C:\Users\Admin\AppData\Local\Temp\e50d98660a33b527ef5d60f23b6bdae5a4d520de019232adaf886acef8e3723c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 250 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 280 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 240 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 290 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 27c -NGENProcess 25c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 278 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 268 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 25c -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 25c -NGENProcess 2a8 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 224 -NGENProcess 2b8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2d4 -NGENProcess 294 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2dc -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1d0 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e8 -NGENProcess 2c4 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e4 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 294 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d4 -NGENProcess 2f4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ec -NGENProcess 30c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d4 -NGENProcess 310 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 29c -NGENProcess 310 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 304 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c4 -NGENProcess 314 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 300 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d4 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 320 -NGENProcess 328 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2732

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1644

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1240

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
c8ae6d8adb1940b0b512184cb3515f17

SHA1
04c2127b22a841219653d38a0273f2a705c56bc2

SHA256
7aa62b3c59a2fa8b2ac547f5765983626a1aec79f1eeb89d2c439ac09c5feeaa

SHA512
936b45e2d5e5564c4edd4f457cb726bfe71a4f3ac1f464879fb00bd48043c9c6e67d0e1d4ee3192e91d6d1bf907e61c8cd2fc64ebd359d098f2dbe5c604114b5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f3f6a00906074cde54e8a8f40eb6192a

SHA1
405823ae43b280d61a1f3778d3b1d3eff7f6b7de

SHA256
0cbade8b134cbc865bbf7d4ce8e4408c3a4aebb57d5c2f2ac1a6bb2605a0a1ac

SHA512
c6b257f0927fba7abe2bde1eded01b04dbf3985c943089439905d4d0fe92a8183cdf37b7b575f77158a69cbf0e4ba4493912eaa11d5366bd8938bc5607cb0e62

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
a5a6a334e58ed4327157a862ce764afb

SHA1
5b5e0f67fe30f76d43b4131a14d8f12b1326d7cc

SHA256
3a508a7f5524f4836cac9d3c7f8160581ab8b195912fd8bf1408dbeffae1a541

SHA512
6db1670e040713c0f33298625ba46c5b8669d07409d0490fae97a9bfd642a247c96cbd9eb167480cf4d2621762721b4267717aff87c93bfbd996c694a14bb478

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
4a1f71175af5fe1127cf3b0c529ca201

SHA1
a66379b546c9a540bfb18478460ec2e2d891e104

SHA256
df44b43fab194ad8e6ba513fa163be6ef4cbd308f2ee8629e94f0a1cffc0ff0e

SHA512
ec1d35a53a2f746ced2e5aa0d342a83e7b10dcc5cf54ba22926efadb977e790b731cf22c39ec044b712447d76f7d098fb9924df55b3eb16d96c9f9edd5feecb9

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ba7b700e1c2e531b1e19e6a20b300ee3

SHA1
649343c80eb0b53db4f1a02f85541c69f7c10a6e

SHA256
823235a3b5f5463c5d7bdfe0baaea8dfb56fcf77c582dd4eed37832d6d556c99

SHA512
70afc41d1c50780b5a3306c28f230f6fb0ac47ba996e5e6a6ac5a590fdd310e34404eb82517dd473d0533e525695d2acd31657d37733b40825782a1eee985c33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a9c181b81598b0e64669096338df6be9

SHA1
06aca5313a994853a3ce4ae567bdea89a383ac45

SHA256
e21c6c4e49ec01efac9bf7bf0d137194b9a462d789add2003633db665136d99a

SHA512
2b3f805e4792ec973262c986e714cb807fb3c63cfa7700da71f88be4348a7270738da2aeb2761220cdaf14a4895b7285d0fd90153be09383e4fa30a0cb2dfd01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b378a8f6ea0586d34e0d2df5ea47d6f0

SHA1
affa6e3aa4a47cbb1bc7a1079fd40783bdb37385

SHA256
bf3d8565b13aa9d7d1128b8045e32e24586d21b31b7ff6a18b91cd253fa41045

SHA512
ed5eec71370985ae88844f5e4a6f05d41f79d2ff990ffdf81320a90d922a4b9383f3ec4030e31361c79cfe39a90c86706533d3b257f0070bd0cb040061f4fbcd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b378a8f6ea0586d34e0d2df5ea47d6f0

SHA1
affa6e3aa4a47cbb1bc7a1079fd40783bdb37385

SHA256
bf3d8565b13aa9d7d1128b8045e32e24586d21b31b7ff6a18b91cd253fa41045

SHA512
ed5eec71370985ae88844f5e4a6f05d41f79d2ff990ffdf81320a90d922a4b9383f3ec4030e31361c79cfe39a90c86706533d3b257f0070bd0cb040061f4fbcd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
88d5023460a0a8c53ab03667e0ddf3bc

SHA1
8f25c602eb90b7385ae2d030f4b53d527be76fab

SHA256
48bd165961b1a01acf5770f53b25a72e32cd26fe329b88432edfcb071133d60d

SHA512
774cb5c62bea30ca1a70094d85fe0b015a5da93831f0e60958d9d7a5ea0867fb9b82111aaad9f5f3e6af6af47f9c910dd6317f60fe1d5db5a6ece7b3db160cf0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
42b1af23aaedf832711ee82f3a752067

SHA1
54e3e4f916f6b3ae213b8425ac102afce996ff2b

SHA256
df208209b8359a01f93a3f6ceb527f7f4f1990638a8824df60f6908beeb1657b

SHA512
8ea1cbf31b0e0121d3c243ea3052c7038b86820c98bc10dffaa284a0b0b8e56955122f9d2779948bb4afd7362bf6fd6e373d27814ac7c75cfa5b539c2581c630

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
603c0ecad0f608fcca9031356b0684b4

SHA1
11bb1dd10465a481fb58f558c452324dd32e60f9

SHA256
43fbc1d4b443ed460f2c9b113e2a2b7ce23241e2cdb433b7a01808e0e84360d8

SHA512
f680f61574376900ba12d32f24badfc943dbc21d0ee69f46cfa7c1cddde5eb14cd5687abb8a825f812efd06945d462983f93fc51d4be938e5635aa036283019a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8081e720bab4ecb55c2b14e8af6bdfb8

SHA1
dbe285a7ce8e4dce6ca64f45bfc3b872c88b94be

SHA256
9cde1ca476df113a4e18051e9ac744c700df3c5246afc015ec6d486ffab76289

SHA512
216e6ffab66f1d46675dab013f932a8c8396e04337eb9c5d41e00d5685c39788db078b1e063cc76e860ebe061da3eae005fca9c59c0b0f689cb84e7fe6ae4859

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
dcb231da9a78a4ef703c96d154cbb931

SHA1
7a9f15e48f0c33a7a91cfe9df1ae995d41039be0

SHA256
8eb2c9480c3c49f6d7f03c4774a64e546675a6dd515c0387cce29cf876dd9e1b

SHA512
0fe6ff463592cb3e395f45653bdda239716e3765caca687bf81b193a0f777d331080daa6adf073789089c92a471e97a19eb26075fa9758fb0866790a6df79f18

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
79997da6a363b76c0a3d9707ead5f9d0

SHA1
2b99b5f5876fc2c8d3b7f0cc7b9fdf8a40676f43

SHA256
fff7738c69c3ff60ef45efaacafef776c609ce860e2d40e58a0d48737368645b

SHA512
858539aee9bf44ff89c7d41046a36cc4c71c01e0c73027ff8186da3c491c8efa2933fd391a63d6643ef7e2650eb0853489637395856743fc177be59171bfcf75

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
bdd9ab30afd88d9fd7f74e73e4ac6d22

SHA1
070370ef5c8d935648dda4fe75a4676a1d054983

SHA256
6ccdb59814e0e31d8e1e46d65f0b88ef97dff158835dd49988168062aebf0140

SHA512
9657d1f09d53e455a2b6708b050b9b1265aaf58aa0c5507df0a98c324977dec6184d71b798e5cb89651383de5bf3db70c9375912d6493dd4e100efb435067948

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
560a3c2ff7b46bba8252c7aac895266b

SHA1
70694eac91ed0bfc61d95465540207f9b7726241

SHA256
7abad659b5dccb0d53a755e0a84e64a36e333bac819185891a1d262a84f1e7ad

SHA512
9d0a81ebae94abb584985892851893819e99ccf821fa443ceb8d94baebfc86fa130fa51e2276f36281f86f2799c48eb785f8ec8065453ae5f49705011302847a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e8b18028880f8d210aa252091d570936

SHA1
66ace6f18a46529231b8e0bdba38812fadd165ae

SHA256
20328c93bf131f9b796d27f80f77b9dc1e3297a5667a81191de68719517f831e

SHA512
fae89b4b097b5a17f7100f1005b74aca99061d93a0efd241182512ee395e3e473e79dde870d9f03d3827ebe9cee264dce40e790f7d8b089b7fe853628a7ada3d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2b308480c3ce7d3bf0eb16a2c89eed50

SHA1
683065eceab67c584a2aa3d8ec0dff241720722f

SHA256
e3d2cefaf1481cfcdcb2997df4e4af148632e11ddc40113f6c2191957ee358d8

SHA512
c7beb94f2117d362057174de389c074b549ead62c864903447827925997303a799aff6196ba523a94a7c50c536c72c410c255a2390c5cea3665f4d9a525d9c7a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
6d52decb963a9149e7d97edcdaa88245

SHA1
eed9495566d8f683042d63d3d058d99ebbf8e3ee

SHA256
6e8d6f25a620e24dc26eaa61481ef35c8217a55d73f661e33a558bacd8b87b23

SHA512
7551860896ace395ca597b3b17202baf6e24972388baf224faae7d60beef8e92f10c35c501f0d98b631c613830788a6aed29edef777e20412ce155b3de3ad2ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
94fa6e8d80107a95ebae90ad9e0f70ff

SHA1
d2c48038103ef6f56a8525c3fc70721fa6fe458c

SHA256
d2283cdb0ad685c506c7e3b71a9158275ab6e52ac9de702e2814ad686d363a3c

SHA512
72b1d3b50018ffc721445e04d3ab3a4052554dd3f0f01a91fc86785da388878201d3e9c2cdf56a642a25d4ef576ea5fce01a95c026b5c2bcd9e7f947dc2d7498

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
d38f63979485994277190f2fb3056cb5

SHA1
e9986bb9202553db2850fd267b2891769dfbdfeb

SHA256
957ec096086cacb82d77cdaf22b8cc09e9c63bf6a760d82172a6f800223c1e3c

SHA512
6b482dded6ebcfbecf2fbe691c93b352795e1c56275ad4c49bd9b4b66178199d4aa539f5f7c288960d8e6c6281608789c9c8787e152f92266844b00ff1009c6d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ed02df6f168d9ca54fd6e3f7ceaabd79

SHA1
c5b09dbea014fabcf02bed36926cbf87a78d6082

SHA256
0808f718430bc6a3e104d5e5fa0c754a1ac32c372d4b38504e6bf8731257e050

SHA512
abe0e0ff8f850868d962333de754b4596a5e31731d46982dd6224ef08cbcd102376744fd4071a4d71dd9bd8a0a61abf6c001c31946a456cb26761b6d8961ba62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ed02df6f168d9ca54fd6e3f7ceaabd79

SHA1
c5b09dbea014fabcf02bed36926cbf87a78d6082

SHA256
0808f718430bc6a3e104d5e5fa0c754a1ac32c372d4b38504e6bf8731257e050

SHA512
abe0e0ff8f850868d962333de754b4596a5e31731d46982dd6224ef08cbcd102376744fd4071a4d71dd9bd8a0a61abf6c001c31946a456cb26761b6d8961ba62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0c7100775b5ac7d8af730a81e88901c8

SHA1
e75186c6d77aac7a597b7846a5d780bcde2f1771

SHA256
3d7846b08f02c0773754d71143a24e3e3f4a1c0bc4a4874a7e19088159baf2ba

SHA512
fc91f789d2ba14bd994318b5d3a1d245bb97cfd93fd7d1a52b1b3e558b0af194a9f3168f455b89b757a1e6d34df29015126b38cbdd5c37b4be5b00babea49f09

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
19042c2f2c253881ee8f2bc4b2d343f3

SHA1
bf8b28fe25263265d97e0755462ad308db0ed110

SHA256
88391b86784c69ac0edce5902541519c5eeb509d0b27db5295c3720b36862be8

SHA512
e7bd83a3fbea55d1287c03eb97dae96c8f16eda53a134d91fc571da6b6e9274ea5f31078744d5fb84b3816362991838188eda2654ad376154c4a0649ed660a9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b42fc0253de26d4550a2b6c543fa0e6c

SHA1
48cb14e12769f5444e2bd69d2062478e129486ff

SHA256
31e04163e45cce747ce475af02c4431710e4bc438fdac40a13e26c9e050c3504

SHA512
a6c33071a865b5fab65efbe0eaf30a34df58ee1eb3e547211a8a390209105d4b3751b1e4f4e64089d3e8ef4ab4587da6e1722985e2dfd1c0ffd5338fedfe2034

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b42fc0253de26d4550a2b6c543fa0e6c

SHA1
48cb14e12769f5444e2bd69d2062478e129486ff

SHA256
31e04163e45cce747ce475af02c4431710e4bc438fdac40a13e26c9e050c3504

SHA512
a6c33071a865b5fab65efbe0eaf30a34df58ee1eb3e547211a8a390209105d4b3751b1e4f4e64089d3e8ef4ab4587da6e1722985e2dfd1c0ffd5338fedfe2034

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b42fc0253de26d4550a2b6c543fa0e6c

SHA1
48cb14e12769f5444e2bd69d2062478e129486ff

SHA256
31e04163e45cce747ce475af02c4431710e4bc438fdac40a13e26c9e050c3504

SHA512
a6c33071a865b5fab65efbe0eaf30a34df58ee1eb3e547211a8a390209105d4b3751b1e4f4e64089d3e8ef4ab4587da6e1722985e2dfd1c0ffd5338fedfe2034

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
b42fc0253de26d4550a2b6c543fa0e6c

SHA1
48cb14e12769f5444e2bd69d2062478e129486ff

SHA256
31e04163e45cce747ce475af02c4431710e4bc438fdac40a13e26c9e050c3504

SHA512
a6c33071a865b5fab65efbe0eaf30a34df58ee1eb3e547211a8a390209105d4b3751b1e4f4e64089d3e8ef4ab4587da6e1722985e2dfd1c0ffd5338fedfe2034

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ba6884251856c1606869686a0cc55184

SHA1
acbff1bfc5bf22ee48b2af9347ee5d78892654ab

SHA256
a7ea0d3417e70ac69520b38b934c686ee458cf490bab1270e994ecc45014fc3f

SHA512
bc93507553526ee0eb9c595deb5c07d2e8cb53d658bcf9914daf8d09c1786ac6431e89acb95350dd87228593e6a18ad7a9f527b89f178ce7fcbc240e6a6b8341

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ba6884251856c1606869686a0cc55184

SHA1
acbff1bfc5bf22ee48b2af9347ee5d78892654ab

SHA256
a7ea0d3417e70ac69520b38b934c686ee458cf490bab1270e994ecc45014fc3f

SHA512
bc93507553526ee0eb9c595deb5c07d2e8cb53d658bcf9914daf8d09c1786ac6431e89acb95350dd87228593e6a18ad7a9f527b89f178ce7fcbc240e6a6b8341

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
fd374212d7461bffaab675f88c5c334e

SHA1
e3623c554818001d8d3d1d905a2feffc1a7e04ea

SHA256
bb1c6cb0b415a7edbd0db182019916301b34815ca7f7b016c0e45334ac8578ff

SHA512
4b08e5c43977aff40758e5683565fac7b42fd2dee804a3b1785a0b054b698ebf90d27bddb9dfc54b51ce7833fef027c95dedc38b1d54916df0551a932f6a0717

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
e2bd2d77a1a89acbf3b9a10498399f84

SHA1
39f8e2b2bd7c3126b2f7e28ce57192d8a006d0da

SHA256
7be8c6d73891599b7004b464f63ff4864af5ab9e6f4a55d949ab78ccaf48b230

SHA512
4e7f096ab9a5211aacb423f31c804d9a7abd8adb6aab6bf79165b88ec8576cc53eb18c913ca2072dec75d1cc3fe58d29ccee23722f7a87646f19735eeb35d707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
c6afbed70b21b2c01a19c3f63ca03589

SHA1
68b73089849388d20d04e8e399d05e4eed91a4c3

SHA256
830aee79eaccd5eb444843f6f1255c40c67039c6fe212e7f092b7898422d4db3

SHA512
57e1ca44b322775ad2c92f3ba74b3bde58101ffaa50fe0f30a90691120c07d03cadedaf738a163e63f0a48242f1bd190323b420598526fdde1ffad4002e87391

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4c56ed7527745cab21f859b7fa99bcc6

SHA1
ab0783aa07430329e0c8c4aff2273faf389c7818

SHA256
c11e640f72cd29f79ee126fa581ad36f84eb737e6a25d69c3531e65994adfd79

SHA512
57d63ff7ca242b04ad65474f8a2eef97c4b38c6c50ac86d312e8ef8f1e1c027156323f8c203db446be4b9e002179b5e5f19bf5c98ea74b6c85c51d032b2e02d7

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
58de13c6da691a825a9b0e88ad62ed0a

SHA1
2585688ded0a67779d0b4235d85c25fdc11672fc

SHA256
803b26f903348e817afbecbfcd5b9d4ec94af97c2a45aa583b4b934a0748b017

SHA512
8f8620e7c6c623c857cd5741a9f9efeb7be67566a3c54b09892c7e42996482706c0564b2ac9a6c4cfec89179c616fd714722bacce490b6d45a47a0d675e31203

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehRecvr.exe

Filesize
1.2MB

MD5
3f027bf8e4c1dbeef74d43db5e845522

SHA1
f824ef64b1344d4c5ba17a0de63f1d36b05b4c7d

SHA256
ecb90979403b1ec599b3067bfdd0a6eaa390e036ed042b2fc4b8f34a49287918

SHA512
16bea9b2a7c04ffbdb58f6fb92bad40984d22292eef8e3fabca3fde315af479104131077b457b8175effeab12604f6f702f8ba4b03811f452a1e4b120ebb71f2

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3f027bf8e4c1dbeef74d43db5e845522

SHA1
f824ef64b1344d4c5ba17a0de63f1d36b05b4c7d

SHA256
ecb90979403b1ec599b3067bfdd0a6eaa390e036ed042b2fc4b8f34a49287918

SHA512
16bea9b2a7c04ffbdb58f6fb92bad40984d22292eef8e3fabca3fde315af479104131077b457b8175effeab12604f6f702f8ba4b03811f452a1e4b120ebb71f2

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
ed02df6f168d9ca54fd6e3f7ceaabd79

SHA1
c5b09dbea014fabcf02bed36926cbf87a78d6082

SHA256
0808f718430bc6a3e104d5e5fa0c754a1ac32c372d4b38504e6bf8731257e050

SHA512
abe0e0ff8f850868d962333de754b4596a5e31731d46982dd6224ef08cbcd102376744fd4071a4d71dd9bd8a0a61abf6c001c31946a456cb26761b6d8961ba62

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
19042c2f2c253881ee8f2bc4b2d343f3

SHA1
bf8b28fe25263265d97e0755462ad308db0ed110

SHA256
88391b86784c69ac0edce5902541519c5eeb509d0b27db5295c3720b36862be8

SHA512
e7bd83a3fbea55d1287c03eb97dae96c8f16eda53a134d91fc571da6b6e9274ea5f31078744d5fb84b3816362991838188eda2654ad376154c4a0649ed660a9b

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4c56ed7527745cab21f859b7fa99bcc6

SHA1
ab0783aa07430329e0c8c4aff2273faf389c7818

SHA256
c11e640f72cd29f79ee126fa581ad36f84eb737e6a25d69c3531e65994adfd79

SHA512
57d63ff7ca242b04ad65474f8a2eef97c4b38c6c50ac86d312e8ef8f1e1c027156323f8c203db446be4b9e002179b5e5f19bf5c98ea74b6c85c51d032b2e02d7

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
58de13c6da691a825a9b0e88ad62ed0a

SHA1
2585688ded0a67779d0b4235d85c25fdc11672fc

SHA256
803b26f903348e817afbecbfcd5b9d4ec94af97c2a45aa583b4b934a0748b017

SHA512
8f8620e7c6c623c857cd5741a9f9efeb7be67566a3c54b09892c7e42996482706c0564b2ac9a6c4cfec89179c616fd714722bacce490b6d45a47a0d675e31203

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
3f027bf8e4c1dbeef74d43db5e845522

SHA1
f824ef64b1344d4c5ba17a0de63f1d36b05b4c7d

SHA256
ecb90979403b1ec599b3067bfdd0a6eaa390e036ed042b2fc4b8f34a49287918

SHA512
16bea9b2a7c04ffbdb58f6fb92bad40984d22292eef8e3fabca3fde315af479104131077b457b8175effeab12604f6f702f8ba4b03811f452a1e4b120ebb71f2

Download Submit
memory/1000-477-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-463-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1000-435-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1072-147-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1072-142-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1072-286-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1072-151-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1104-345-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-344-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1104-358-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1104-359-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-335-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1240-314-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1240-270-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1240-262-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1240-263-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1256-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1256-256-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1256-1-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/1256-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1256-7-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/1256-6-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/1500-176-0x0000000140000000-0x00000001401D2000-memory.dmp

Filesize
1.8MB

Download
memory/1500-95-0x0000000140000000-0x00000001401D2000-memory.dmp

Filesize
1.8MB

Download
memory/1644-164-0x0000000100000000-0x00000001001CA000-memory.dmp

Filesize
1.8MB

Download
memory/1644-170-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1644-291-0x0000000100000000-0x00000001001CA000-memory.dmp

Filesize
1.8MB

Download
memory/1644-162-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1660-105-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1660-98-0x0000000010000000-0x00000000101D4000-memory.dmp

Filesize
1.8MB

Download
memory/1660-123-0x0000000010000000-0x00000000101D4000-memory.dmp

Filesize
1.8MB

Download
memory/1660-99-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1660-104-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1952-377-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-367-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1952-372-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/1952-476-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1952-474-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-332-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1972-285-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1972-287-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2240-125-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2240-274-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2240-132-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2240-126-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2376-177-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2376-305-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2376-275-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2376-259-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2376-337-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2376-214-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2532-387-0x0000000073F58000-0x0000000073F6D000-memory.dmp

Filesize
84KB

Download
memory/2532-325-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2532-339-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/2532-376-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2532-378-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2652-67-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2652-161-0x0000000100000000-0x00000001001D9000-memory.dmp

Filesize
1.8MB

Download
memory/2652-66-0x0000000100000000-0x00000001001D9000-memory.dmp

Filesize
1.8MB

Download
memory/2652-80-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2652-81-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2676-154-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/2676-114-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/2684-360-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-348-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2684-354-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/2684-374-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-375-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2708-307-0x000000002E000000-0x000000002E1EA000-memory.dmp

Filesize
1.9MB

Download
memory/2708-316-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2708-364-0x000000002E000000-0x000000002E1EA000-memory.dmp

Filesize
1.9MB

Download
memory/2756-322-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/2756-324-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2756-299-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/2756-295-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download