36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
Size

1.9MB
MD5

ea5dab113d45d52847dda067cc8b0f26
SHA1

765e7272ca69bfc27f75ee0103962f9ab9e5143e
SHA256

36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f
SHA512

8cd30d6fb1458cf7f5be60c415beefce17615d713d7c3d71fc371b83bf9c2d89bc1fcbd49ae1e6d0249d30de21662483326e5ac07eadc4cda5674450bb9c2362
SSDEEP

49152:PhO8E9eqlK29lnsIwlHPiRxAHQle30jaNf1TWbdz:JOLM2KulnhwlviRx8WU023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 48 IoCs

pid	Process
464	Process not Found
2832	alg.exe
2700	aspnet_state.exe
2880	mscorsvw.exe
1676	mscorsvw.exe
2324	mscorsvw.exe
2196	elevation_service.exe
1352	GROOVE.EXE
908	maintenanceservice.exe
1644	OSE.EXE
884	OSPPSVC.EXE
2692	mscorsvw.exe
560	mscorsvw.exe
1736	mscorsvw.exe
2752	mscorsvw.exe
2736	mscorsvw.exe
2996	mscorsvw.exe
1276	mscorsvw.exe
816	mscorsvw.exe
560	mscorsvw.exe
2100	mscorsvw.exe
1168	mscorsvw.exe
2020	mscorsvw.exe
2656	mscorsvw.exe
2680	mscorsvw.exe
2736	mscorsvw.exe
2996	mscorsvw.exe
1948	mscorsvw.exe
816	mscorsvw.exe
2944	mscorsvw.exe
1652	mscorsvw.exe
840	mscorsvw.exe
2856	mscorsvw.exe
2916	mscorsvw.exe
2612	mscorsvw.exe
2680	mscorsvw.exe
2736	mscorsvw.exe
1660	mscorsvw.exe
960	mscorsvw.exe
896	mscorsvw.exe
968	mscorsvw.exe
1280	mscorsvw.exe
2092	mscorsvw.exe
1832	mscorsvw.exe
1492	mscorsvw.exe
2136	mscorsvw.exe
3044	dllhost.exe
2108	ehRecvr.exe

Loads dropped DLL 32 IoCs

pid	Process
464	Process not Found
464	Process not Found
1276	mscorsvw.exe
1276	mscorsvw.exe
560	mscorsvw.exe
560	mscorsvw.exe
1168	mscorsvw.exe
1168	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2736	mscorsvw.exe
2736	mscorsvw.exe
1948	mscorsvw.exe
1948	mscorsvw.exe
2944	mscorsvw.exe
2944	mscorsvw.exe
840	mscorsvw.exe
840	mscorsvw.exe
2916	mscorsvw.exe
2916	mscorsvw.exe
2680	mscorsvw.exe
2680	mscorsvw.exe
1660	mscorsvw.exe
1660	mscorsvw.exe
896	mscorsvw.exe
896	mscorsvw.exe
1280	mscorsvw.exe
1280	mscorsvw.exe
1832	mscorsvw.exe
1832	mscorsvw.exe
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\70cbca38c30a3ea8.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_kn.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_ru.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_es-419.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_et.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_ml.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_fi.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_fil.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_bg.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\psuser_arm64.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM63A3.tmp\goopdateres_es.dll	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{718F591F-A42A-4E9E-92AE-2C0FCEE131D5}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1C38.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP46D0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4BDF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP60B6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP734C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2C8C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP389D.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP904E.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1764	36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeDebugPrivilege	2832	alg.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeDebugPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2196	elevation_service.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe
Token: SeShutdownPrivilege	2324	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2692	2324	mscorsvw.exe	38
PID 2324 wrote to memory of 2692	2324	mscorsvw.exe	38
PID 2324 wrote to memory of 2692	2324	mscorsvw.exe	38
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	39
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	39
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	39
PID 2324 wrote to memory of 1736	2324	mscorsvw.exe	42
PID 2324 wrote to memory of 1736	2324	mscorsvw.exe	42
PID 2324 wrote to memory of 1736	2324	mscorsvw.exe	42
PID 2324 wrote to memory of 2752	2324	mscorsvw.exe	43
PID 2324 wrote to memory of 2752	2324	mscorsvw.exe	43
PID 2324 wrote to memory of 2752	2324	mscorsvw.exe	43
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	44
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	44
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	44
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	45
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	45
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	45
PID 2324 wrote to memory of 1276	2324	mscorsvw.exe	46
PID 2324 wrote to memory of 1276	2324	mscorsvw.exe	46
PID 2324 wrote to memory of 1276	2324	mscorsvw.exe	46
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	47
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	47
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	47
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	48
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	48
PID 2324 wrote to memory of 560	2324	mscorsvw.exe	48
PID 2324 wrote to memory of 2100	2324	mscorsvw.exe	49
PID 2324 wrote to memory of 2100	2324	mscorsvw.exe	49
PID 2324 wrote to memory of 2100	2324	mscorsvw.exe	49
PID 2324 wrote to memory of 1168	2324	mscorsvw.exe	50
PID 2324 wrote to memory of 1168	2324	mscorsvw.exe	50
PID 2324 wrote to memory of 1168	2324	mscorsvw.exe	50
PID 2324 wrote to memory of 2020	2324	mscorsvw.exe	51
PID 2324 wrote to memory of 2020	2324	mscorsvw.exe	51
PID 2324 wrote to memory of 2020	2324	mscorsvw.exe	51
PID 2324 wrote to memory of 2656	2324	mscorsvw.exe	52
PID 2324 wrote to memory of 2656	2324	mscorsvw.exe	52
PID 2324 wrote to memory of 2656	2324	mscorsvw.exe	52
PID 2324 wrote to memory of 2680	2324	mscorsvw.exe	53
PID 2324 wrote to memory of 2680	2324	mscorsvw.exe	53
PID 2324 wrote to memory of 2680	2324	mscorsvw.exe	53
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	54
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	54
PID 2324 wrote to memory of 2736	2324	mscorsvw.exe	54
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	55
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	55
PID 2324 wrote to memory of 2996	2324	mscorsvw.exe	55
PID 2324 wrote to memory of 1948	2324	mscorsvw.exe	56
PID 2324 wrote to memory of 1948	2324	mscorsvw.exe	56
PID 2324 wrote to memory of 1948	2324	mscorsvw.exe	56
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	57
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	57
PID 2324 wrote to memory of 816	2324	mscorsvw.exe	57
PID 2324 wrote to memory of 2944	2324	mscorsvw.exe	58
PID 2324 wrote to memory of 2944	2324	mscorsvw.exe	58
PID 2324 wrote to memory of 2944	2324	mscorsvw.exe	58
PID 2324 wrote to memory of 1652	2324	mscorsvw.exe	59
PID 2324 wrote to memory of 1652	2324	mscorsvw.exe	59
PID 2324 wrote to memory of 1652	2324	mscorsvw.exe	59
PID 2324 wrote to memory of 840	2324	mscorsvw.exe	60
PID 2324 wrote to memory of 840	2324	mscorsvw.exe	60
PID 2324 wrote to memory of 840	2324	mscorsvw.exe	60
PID 2324 wrote to memory of 2856	2324	mscorsvw.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe
"C:\Users\Admin\AppData\Local\Temp\36d87a1d812e62714d8efd8e8f416e1baa2bed67ba9c739904bc09dfd569e87f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 278 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2bc -NGENProcess 284 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 270 -NGENProcess 2c8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 270 -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2d8 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 2cc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 274 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 274 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 284 -NGENProcess 2f4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 274 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 2ec -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 2f0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f8 -NGENProcess 30c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 30c -NGENProcess 318 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 318 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 320 -NGENProcess 2ec -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 320 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2f0 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 31c -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 1f4 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 1f4 -NGENProcess 1f8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 228 -NGENProcess 244 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1d8 -NGENProcess 33c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 22c -NGENProcess 2ec -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1644

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:884

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3044

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
9980c78f4a4cde626f1ce8b2cbea564e

SHA1
6621cfb25a1803e157c1cb83f2fd1354cc1b2cf8

SHA256
f0a29829f7179285611195029a66bd9acde4cd4edc19bc260faadcf271f8811f

SHA512
7e1c50019378261e183448295877d39b568974ed8e822c88d84f7019064b955d9ece0b1ab3b33f0ec86b6bfa01b2ca786ca4b0020079b04f2ca8527e97f4119a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
426ffafc4c13fa815282b5ca83d2674d

SHA1
99aed418c6492724b9e24513372f75607dfea594

SHA256
914fed582b26a0aa9f1f1cba47c08d6a01c0ed771029f93ea28941fc0ee950f5

SHA512
93e6a60a59e51652a9d17b7bb7860963430698a2b9d92ccf963b4ee6958c0058cec55930bbd53435509fff538b18f3f7b8b2bd9a47e15b2ed8d7adb3963c19c0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
73856d40aa8b953d80e7275eebc77461

SHA1
d44d2e93cbb9256d4951030c5830d32f5fd130f2

SHA256
05294efc5b79d7af580726bc6115a869eb45ce4d6f99171b78e8e8d79b9f3ea9

SHA512
ac827f1625c60b7b825f05b70d59940f0354c7d5762ef862ffd277599dff04569a3a81d3e3fe24e5448db84a084a94c58a0e4ef16c49de2b90248350e387183e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
cf244d32abd54a8c5f20cf2f768eabd6

SHA1
d77b2a533831cbad1b81d35e37ec8dccfe9851f4

SHA256
ef7208bf6509406b908a92bb9621342cb91e3bfe873594bbf21ed0ea46d618cf

SHA512
0195840ff3705431646a53c3df38e6067af8a45bed98ad0e3d92606f0dc07715c0239422daa7d5acfb7e165553c6ce9f82d352a677e27f0da5f741db399e65fe

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
6c0dccaa262ed213e01682e8baf34285

SHA1
f076078a46aaa0bdc00c55af30bc1b53f1466c12

SHA256
751494c940fc7f222cbeab22124264f393ef08cedf3a86e2b329384171975e05

SHA512
d0d3ec774c8b028dd3b0c0b8d0e8d410d54d87af8f566b608b27c68dc399c972f53c371f5b780165d0b05b9c63c36601ec68c315ccb4bf53c297f7527cc23946

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8a8f575092f843d6a2855f761b185cf5

SHA1
d6962077e3e687a5872f753038c6a61625d44a94

SHA256
7f34de899ab7a7c522adcb95edbfaf7afc59465e2a25be28e9bcb53027dda7f8

SHA512
2d17cbd86cfe284c0f13f9dc1ca719f82eaf1ec4c49b662eaa80a23d87602a2c18fe7fcee02ca95ef503a9ffe59432db806781c054995b03c812c16e945337b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f14581fdbba4cefde5ad3e8181f6af4b

SHA1
6249fed874e4c8e387d9a037d14ed57153aa8e08

SHA256
45c82a8ab2e6267b6f08134e2f23a2834032a3eba7224bfb77588e70553efede

SHA512
4b1916b46f1bf4896ff45bc64b8899d8224e40dfd6736bdc4b6ff36561f5a84e3430fdcaf9eca27261cb0f32433f8df3bb0af7e1725ea0a255438825d3410062

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f14581fdbba4cefde5ad3e8181f6af4b

SHA1
6249fed874e4c8e387d9a037d14ed57153aa8e08

SHA256
45c82a8ab2e6267b6f08134e2f23a2834032a3eba7224bfb77588e70553efede

SHA512
4b1916b46f1bf4896ff45bc64b8899d8224e40dfd6736bdc4b6ff36561f5a84e3430fdcaf9eca27261cb0f32433f8df3bb0af7e1725ea0a255438825d3410062

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
2214afa6c94e5ff7267a986a5a710773

SHA1
be3df90acfc8c49bcbf4ef432deac1def1b1ca1f

SHA256
3ec588a91828c52aa07f07c69285785c2d0b2b325034b14ce3722048bec4ce39

SHA512
a4854c29ded25c5dd2e24d8d95f58dfe59c85d8d3811cf9e9b692842f31799409ac353a6317eb1f91b9f93f5e002dc48c94f4daad6aa54a62e23450656e80b35

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
8edcfd783cf31287071c6df926c373c9

SHA1
1f567115a4225da18c6d8792dfa1c68f869d72d9

SHA256
e38a2e581f1f59b9d2ee82fbb5f7009ba6b9729bc1422806bc7b4dbb537fa9da

SHA512
2109da03bf82be0ae6d3eda0e0280e37a4def74eb94e5401580026f90224c7194b5bf37520f64198210b199d5f9a1f62f180135c3193eca1f6136b96deb32c5f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
af311ab80f9ce6730ce4b2875878903d

SHA1
a7272288ff918950d8c8f4e65ef8e2850a07e12d

SHA256
ca40ee31fe35ca09d9f1253b28c2fbaad25ec7cc9bd03f5f2b0eb76054d6fc5f

SHA512
a11bb3cc65531564b73c7e55f2b0216cced7d3565ce244c2cb690d73a4b287c2f0a3128faa35e9035062d1f1afee04898a9bf574564600e64046e051b1d60019

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
53ab0cd056a4b96ffdf15d13bc2a3cec

SHA1
b9f46232956676f0840849d498e8196a64044377

SHA256
4ffa7f9c52e788d7f28002988956fb859bfae02009f0b8caa8807bc4e66f59a2

SHA512
8eb725a711191afefd15b2163b772fa8eece52c7900913be123944b56b4ab48b1fd41c1b667d37c8e8fbe16e1fad36e6bb9c1ed63a7737c8c63e8f497a834047

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
34b760b310f8225d501c98cfc83decd5

SHA1
0227f396ed08834e62757e1961bfa49bb00c6dbc

SHA256
3d9ebfd52726bcf08ee81410de60c28e90ba70676ed0b1921bf8956cd62e6ef3

SHA512
58b007813a4170ccd92f79708ce61854103c7504f3f2bc4d6d05f7a42f18fb653fa02d18975ef5f2cc1fcc5242fe94ca23006383ad964d8223d42205d5459bd4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
36362910972197632388598b6d2bf265

SHA1
1b451dd8dafbed2f9d901c216e18156123308dfa

SHA256
8dbcc16010143f818680f3f50b0c28f68b386dba0261bd8b2cfe7712b9f432ad

SHA512
10808c45c56b0163b8cde68d673dc6af106ba3a8af14f16ecf1bbb9308ba6af2d87694e28b6412dae7ec184d5c0c199c289a3481a360823a89eecff9ddec852c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
80e5bef08515e69a18d469f79bae8577

SHA1
5838629fabe8e10863528d800e6366180e1d8deb

SHA256
289581b51ecf786d243faf6bfe25be5e1e3a3f68c314b203d35598af184811e7

SHA512
eccecdc5ed1372f1fcc6201cdcb01467b53c43ddb083e39b5ca1cd696b8f0761d80e41602719f1e62fff47c9bffd792c7b0af02ac07c7667788869b69f8bfb85

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e7b92af7282a44ef6ccec9bffb560674

SHA1
06e169633e0c2494a16699a4126a5bd94b4b9c2c

SHA256
8ee764d371394b026e6a61accc8c6fd0f9dd6da069cbb1b128fd3915b83d9bb7

SHA512
eeb079a78a6c0c9ce0a0c620addc8b8cc19a4a15c4c843508c9f8ca27e54ab1375cd28ae5ba74fc5cecd3ef564bd8ace984b0532ae808aa8327a77f6508625f2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
404c304b4c8fe19be1882105953d4d46

SHA1
3fa82e7fe569dfa6454527137def14de1ba32120

SHA256
f4bb73914472b19948c5732e9ede87468ff26bf174e07ed94c9e4ecbbd8a151f

SHA512
1a60cdce265d91b8e9bfde95a32ebc405ccae726de533b006423106d71db25389391477787b7379638bfe245e81638bb3c3b35e849a0f5eca78add00092d64f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e98c2dc7bc9fb29bc83cd6f6e332903f

SHA1
440166cb91191b796ce522fe378139fa940c8996

SHA256
da5c31c967f1e7ac7c03c4b89cabfc2d0df9956da4bf923904956ca8d05f35fc

SHA512
25a2a45d8066db1e1c5434ae260910479934687c58b1ae629704034456b3b7e5f725ae9cd0e705ce8ef8a54402cf0e73c9a38bc02d3128f195c2d760683cdfdd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a904098a48513ad51847b23ec4b4f3f4

SHA1
5b8325db51779413dcf87df40d1abb05c5cb735f

SHA256
4e9a3c01459a709dd7d1fa55edeb31fc06f4106b712c182d049967250c0f4739

SHA512
e8196bdbdeb2f31a99c9574a87ba8cbd86ac19b0c9de11707a7234aaee37ffd0edc4a4c93f60e494093d128a5a47f20243c0c609537e4348ba39495f89616e68

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
58bc3da1bb0d8485b148385881a40b26

SHA1
ae6df65ecc6e04f10a4c066b8bbe3807d1c3d32a

SHA256
debcd90f05c9ffab3b96ac71b60b5bad14e9ac7005082dc7cab8f3b9a8f690da

SHA512
9a948404d1b05e9d65c3b71086a237f24fab4779a70e790d65e798e4857979f6fc59d385a24e6b8e7e74f43fbeff7e6e3b5e4d3484c5fc618fc3c7f6831e9eca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
f8207e2c8b792f718397d0c71697d27e

SHA1
d39b6a23c88b3c1305ad325df5b36d7ef27201d0

SHA256
31da071e496802b172451cdb3943795bc29b9f80e87788d27f8d5518e88d6cfd

SHA512
0934b16d4c5fa5fc1ff3c641227f6b7beeb91144092ea55e8ace4b999e58a805c72c3799873171e9f6df2b2abe05b347dffac77877bbb14be75df98162f20494

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
298cc6fa77c519d29c14565f28dafb09

SHA1
e713e9cd87d845f83604b5fed2f21fc58df55dfb

SHA256
c32ca97aa003bc71fdc0caabedbef05a53796698b513747ab88026803aa5c6e0

SHA512
d2a72f07aaa146b5d80b57b352b9e092cdb8f18c78aac7b54540f962b6ab4c5d926f553c8dfe2ead20a8f3381350b4f97a5f4315f47005ae1fcaa849645006ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
c4c0367ab2ef25f2944378c522c8b010

SHA1
a00fe260213707ae5cb48155880cdd08622b8472

SHA256
44afcdb071206e2ae354b31429c668840d5bd5e5097ffedb198ecbec6a41481a

SHA512
b5d41b5cb4f57f364d87e5d4ff4f12202fee87641e728fc0ef78a7637f4a8213dddd698f5cf4c5adae9deadfb0db5675d278df50f6954668786bfa2ea5fc231a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
5033476641b223e5df64915cbc2b2a80

SHA1
205d45b1b32518dd983c228031176e15e9e0c4c6

SHA256
5a0e424dc2bc78ca9366d81f98c95861818f5fff274a539e6b6b566b50450f30

SHA512
8282d3e96ba7b92c7c7c56658f78b336aede348df690ef0da2ea8797bc6af64ecf0e83d53ff4fa02436743c488b793182771036bf813a4525a9c3cc8b346ba12

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.2MB

MD5
9958775414b550ac40f98ea78f2e4361

SHA1
2731cc33c115691a95d3d7bb93bf4106586d57b9

SHA256
6164a6b3923cd16e88786cb6e8912d15da8b044e4175c4bee8effc8f52b60d48

SHA512
dcc1f29bbbffd34ce8ec6b378612372d4e12e3a3de3ab21ad9382dd900da89f24e354d941187d52dcb8b56925f0bf79f66cb4b9705d6718fb3ab5ed2701363e4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.2MB

MD5
191d2d09356693244ae8894ee53e9031

SHA1
b5ba4abb9731a6bc638647fa81e2f97ea1edbec8

SHA256
96c02f732e7be502bb84b0f30b95c55e3ded3e14bd33d47192dbdaebc6f1a9d6

SHA512
40546e047e8a3fd54f014f56ea5f73ac0a78cd77007256f49711e7278728e32b5c2b3d9a0fae3203bdb7d9b6f9ff6ad2abc4d3a2cb65bd4cd5aa87db9f22eab8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
1.2MB

MD5
7f4e54a98c731c6bf1e678f053217f2c

SHA1
d02bb26d9c9a24787e4b8b3b2564bedadb975e0d

SHA256
2aa4447a902c1aa22fee7d011597fb648c5f3dcb3d833cbce9aa8b9a9f27c78b

SHA512
c82468824a3c5e449c24051432d6f46244bee428ebfca9aa34eb5861f6132d54209871bf48cf8aa64d5d818d16ba9a992d8f700245fa1885a9f823e448d992a0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
1.4MB

MD5
5796e305b85561b2674d6a9ca76edc4f

SHA1
cb8c53ba2d85c22fbcb5ad4f6a5741e469a43222

SHA256
b7f22e4ad15d3ee4e4137489f8641ec7ad7cf972fbcdffa7c2262eccc24fbf2b

SHA512
1bb430a0a93c380f3b9b5f330762bd902e22f30e6bb42068f75b320f65b1873bcf0d2ad984c164f583a8e6edb8ba3d4e52e593f7cff71e0e7cd8b8c1431ec2c2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
1.2MB

MD5
dd1264d7adce5a537c762947546b61aa

SHA1
6dc5e414ec820be1ba18ab703f4447074824bc68

SHA256
3c42b7ecfd212fa72feda5de89e785cc67300577c942052c68019762916c5e5f

SHA512
1de3150e49edafc06aa206adc37d2c621c6e0695b672f5fa1928600ac7942b38008e402a66183c9471325b73b3bb866bce67cb68270fd435a8ff8986e453c67e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
1.2MB

MD5
a957dbc75967da42aed7bedb29049829

SHA1
27388f24fc32b54bd04495aad5493bfeaa8a7b1b

SHA256
ee5b1407154ca035eab8b29ea87fc944f6cbc0626af11f15dc3bc8d72ec354c5

SHA512
366c81ae3e4560fdb8617cec5c507a8fa9d0dd7095299752a8ce5e2685bf64cd86cd23b10bf3c0670b2b4c4409d9ca26723a92021929416c1239f68a9dcd9351

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
1.2MB

MD5
57b61485a65035f42de5e128cf1e5b6f

SHA1
15446ade2070c6329cbe2c2ea934b5114df52b10

SHA256
fdb8cfbfd4dae8f171c4e95ba8c73f54047c31e12239880c3922f9fe562fa3c7

SHA512
dcccd89a8c9a0b0b55f9695fc93689e46118840774b155bf037ce00974cd37dc4f0b3775b986a6967f7bcff00f26ea950c534f7bdf4a83f2faf25bee9249c136

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe

Filesize
1.2MB

MD5
ba539e9ac3818ad8737bc7bb6a46a733

SHA1
25ab57e6df7be3da1f2784476c13e48222a4e9fe

SHA256
dfa890344073d479b45001534c4a7ee908033c36ba87b349462b7077cd79904a

SHA512
29539045a9cf3fd90afe697e20a8b218e869ef75b9b607d89f59c9135310f7eb521eb81e2df2a1bf9a10af1daba07259254f80da2c03863a933aa680be6489d5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe

Filesize
1.2MB

MD5
626234d441f39affe8d0f7c6e0732ea2

SHA1
989ad2cd2fe8a4a7c0a105d5a5db105c5bcb7a4d

SHA256
d195f7a2dcbdbd9704ff46e2cf8146bafc20f06903a80cf72a12898d24946411

SHA512
92d1fa0986864ed6f9186bf223747c8ce8bf778d00df7f5a6cb878ca063612ebd79f2d39b35e72f8ace90382e21f531ea9d8eb5e7d78fa73b5647a9d73be431d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe

Filesize
1.4MB

MD5
4e2812fcb5bf181fd5ddda864b480b75

SHA1
a40b32ca67589f1149cc66df790f7e23f0c678dd

SHA256
3e1c7d36b3753951eeeea24d5299663cbb840ca12cbebaa5dc5b310da6be65c8

SHA512
0e952e20f3a8f0df451856d8d0493ef99cf1f941a5ca1d59ff04305a34e5741ad6ece129bb639fa2a11f81939c1c151c6d122f48636804c8b26149e04a11ffa4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe

Filesize
1.5MB

MD5
fdb2066e8d5876d5b9ae9204719bda7f

SHA1
a93391f62aae73e36358c5a49c72ea0eed1e52e8

SHA256
d1ac0ecb63b84cc70c75c10b0be06fec2b57d838943053997c0e1d8c7b46804b

SHA512
4732b9e8e90f2a12286675e184a7a72a7ad694b26394a664cc5ba859f22a0b8d2917f487167642f27dd604a54e04f916629ead4659cdc6a7c22aa6ef100a060d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe

Filesize
1.2MB

MD5
92cd6fd435ca17a0be4ce1b9522fed35

SHA1
9717e59abae255563d530253c8e0fc456b26240c

SHA256
bce4d976b8ecbc0da466961a558a93c028192f4338ca8901a007b1f5caff910e

SHA512
713732ee8630b110f82ca35b87a8b985fcbcd434a3ad2b8cf6471a9a219fd5dfbbcfb2543b3ca06c7598f9380e18eec2deef87e7453852ff4bbf4bc2f357e1d0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe

Filesize
1.2MB

MD5
b392c567cc38b8eb215850b2681878f0

SHA1
cb510cf4c24901f729b89e7fdeefb2b994b1e8d9

SHA256
3cfe57db3278b0ff39041240b9070ca047d75f24e2506abb83def162548f2dfc

SHA512
bb985be14abb52faa7b59cb8ba2b4e09737d7b5fa7c3354b17804715186d966f86f7f185cfd4e0173571d6c4044a94a6de005d2de4d6e03ee80530d106176ab4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe

Filesize
1.2MB

MD5
befdfd3a6519822736b0740a83981b9c

SHA1
67050770c0635445a8bb63e9e23d3c687e36113b

SHA256
bf1f0667eaa64554f5f4798de4af1c3c4c743ac08b4c4190ac3b7e57728d0f23

SHA512
fde0a358d675c06b84fc8bbab455e72f1702aedd02184bad57727dea872cd649746636aff4a7fbb358eeb69dfc0f7ecadacaad8afb548fd94b82edabc8a03d4c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe

Filesize
1.2MB

MD5
9234a2c5dfceb91885553686295b0789

SHA1
fb2a97cf4afbb65a34d5c59f3981851e6cef3904

SHA256
2ff4fdd7e19266bd8ab815d567e94795877a74c693f720b149f84704b5119472

SHA512
abe415fa74080419e9ffded09a6fc1114df1f1668c82f7ad4a7c5ebe5edacf5f2c68b3df188dab6f52a6ab996a990eefa2d1756cf2e188ebe9fb4bcd920903f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe

Filesize
1.2MB

MD5
8e6b600e70c6dd894976dad3e5edeca8

SHA1
0c1f831d1350a90c2e99489afbb75b35596c927b

SHA256
34d33e7b27da7515ae754b470ebc3005928d7c91a627ba1686a2cd4b5aa836af

SHA512
dbddcd52785b878bef3e63dd8971ca0f5ff0bd97eacaa34570aa356bf5297520ab68f8fafaf545f780e53e9afe42bcb711606b8f3c09a62a7f8d16da6cd99ba4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe

Filesize
1.2MB

MD5
3c913ddd9968df07b0e1d0d8367a0d8a

SHA1
e6e45f929508898d06f337b187ee50aeafbc5c9c

SHA256
6fac0ad335454ed8f8fa0348fa638ca5eeac90b1cca6b2a8fef41f932aacbb79

SHA512
8682dc4caee64ab37aa112f1798230b716e52fa8b0b6d572bc09db292274824cc7fd9ba68faf2cab620e61e7ca0ec7fd00518eaf14a834acc4ee84c2d1936dd5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe

Filesize
1.5MB

MD5
bf6bdb9ceea33027ee3ab8c46f2113b2

SHA1
18d9147c2f279af8cfaae37e11fa7acc8de37c4b

SHA256
7740db48fde34ff66d3da506359c631df22af5bb188acd53a0e99fbf0364bf94

SHA512
13d1e6f11e3f993a4c8f0a543c6c74df811ff6939ea89e37d7ca960de70e4ff5bfea8c13322eb42ac7f93ed8d2090b604044c0e5a3bc38715d818cdc20cfe08f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe

Filesize
1.2MB

MD5
c83ad1b8c5c29f6490bc96d5987c3ef2

SHA1
ed68babab3d58c1343a61ab97968e8db341e2e5c

SHA256
28a9ce9fa73bba4220b73b06ae230c21309c37651398ebd7d94e3429068974f8

SHA512
cc630d1a5133dcdd9bf49f0db123873d7d37fe4fd0acd4df33cf6b82be1b6cb0c3d13939b1f3fdc79271cca4ab21494e1550fdc4b4b03170690caab6055cdcd6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe

Filesize
1.2MB

MD5
0687c6e30649605ac7b8a4b964b06d55

SHA1
e29f1db0c882f2f4e18476c2b2bb1fe6aec5f640

SHA256
03d03aa62246a48c96d6082d5d6598368260dfa3f2f9b222a812a0f03e63bfd4

SHA512
9d639a48cd43474997bbaa30a309e04522e7b3211679e5381339e369673cd416feea15b824f51bb5340931f557beeaf32c63d8ab97690346868c83c0cf081d90

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe

Filesize
1.2MB

MD5
d6521c5b914a9d03a5516684b53e6453

SHA1
22ae3ee56e4712aab48a7eac8b56e95bfecdc5e5

SHA256
e3d015a8158bf4d5fdc36587173824b28ea47c6dcd644c77f252cc91b4aae303

SHA512
b22cc0254d58ceafef85a1d0ca00ade1067bc32ad184c396eb3b344c2ad2f04c91d517d932b8d2ab692e04904ca75e6bacf4902d2910c18cda20f5138e7d1dda

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe

Filesize
1.2MB

MD5
63cde41fa024a875b11a9f3e1d7c3328

SHA1
291817557f7873d6566fe23317fdeb67272f41ba

SHA256
6aa42e6e11a2aad133228a2e29f2750c6beb260be228c7680b9af712bfd39960

SHA512
9fa8f4aadc46820c98f4dfcb8fd492fcdf3dc02666a1d05a8679dfd44eb359d2e1bcfbd4ddbea12429467b9c0b66646aa754672234b0a9797b5077f565f35987

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe

Filesize
1.2MB

MD5
98fc45847dbc819d6db2b430e2fb4861

SHA1
6ac7f98a3ba496839afcc48ab27f1478453becdb

SHA256
683c1bb8213a70b79296c652c5e3a23e6452632386640523e1dba43c3eadcba8

SHA512
31a6ceaeeb5d64618c45d9a1f4fdbec1dc571088503321bd64371d457ed5857d2872a1d11bdee0121bbee2ebf48c4c315afc636f4283d812cf16b61f57e4cc08

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe

Filesize
1.2MB

MD5
1f6892d48037a312cc2934c55fad10ce

SHA1
9c23695e8bf82b7d31325b0683a717743bcecc9d

SHA256
0647c4c71fb066c1a0d5dc2548f5131f94835f7002e33093cbae728a53aa86fa

SHA512
1375b101b82ed08a0f742a2d58ff797fcb5abcb44b21d14955759b26ecfe06f8b0cb1a4777c1daec8d68cbc5e7b9239f9ecea9e6a1e2a1ef5f53f4b7329e29a3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe

Filesize
1.4MB

MD5
03240191b67c0683f235e57b1ba699f3

SHA1
27a2c7dbe658a4efcbab3f201e864e020a74d7dd

SHA256
54c341d11865f39cf5c6972dfd34e6fb333b0c61f210b90b1f213b5688e8d9f1

SHA512
9238c172fcf8e5d2b0dae89fce3246241266c81c510d12b64f626cb6ab61b9e3a961d8888682af31e9e4e5525f05dbdd6bc2678d462ac213a0fa9ba252940b88

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe

Filesize
1.2MB

MD5
1f1e7d04f4ceb06b0946ab1e48df608e

SHA1
2219747d9fe9b0ad2abd22c5a66a5ef8f55fcac5

SHA256
d8f55d313b291c2e6ea7f7c80b796e9644a1f62a6fe2356dca9980c6a001bf9c

SHA512
d2ed0aeeb0771ba375854083c7767da397c73ff8eab5fd47a61dd8203f4e7b92dcd3a5be368e4ed9cb18d45bfef33b2c7c6f9a556f6e9581113ef746f5db14b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c5bd7876fd3aa85c926ed9c448761625

SHA1
cd14448a56c5be6d02e3340e09e3000a47ee0614

SHA256
4041cb3d5baaed7e33107049d628087c0906129f89be7989cdb1c84de5ed2f8c

SHA512
7217586ac36e38f103eb35472f8676d8701359ededdca372191c3d74a54303c4e31101041bdd52529dabac2dad4aa1262d0fe9b9215e1a3a007d4a0d48d542d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c5bd7876fd3aa85c926ed9c448761625

SHA1
cd14448a56c5be6d02e3340e09e3000a47ee0614

SHA256
4041cb3d5baaed7e33107049d628087c0906129f89be7989cdb1c84de5ed2f8c

SHA512
7217586ac36e38f103eb35472f8676d8701359ededdca372191c3d74a54303c4e31101041bdd52529dabac2dad4aa1262d0fe9b9215e1a3a007d4a0d48d542d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
fd80cea46e13307e3fb25ebe49642428

SHA1
6ed5a5d4f10e23e360f890fb1ac083d4aebdef02

SHA256
b9519920a08bc8e8fbd3d303d885d2493cbe26c4f8327b3f91bd5d455be7cf6b

SHA512
6f7442574f111214591bb671ea1106ea12e8ce413d6a203b31a4d22f7244188fdacecbadc88d86d3521fe43d3f847144bddbae9a2b496820e4143483b3038df9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
293a6231f0e882ea60cf4e0586074563

SHA1
931b1152d16e20a1efe5b82522ed47e5321c2a55

SHA256
effc59de3c2a5c6799a7837883eb66e21cbfe471c21c3aaa3f0feeb3b9686875

SHA512
39a55b6927616f0edf6f0822968e25f6702ff9571ed7fca4b1e2842ce2eeeb4117e3e0ef69a3d1a3a4e50ac40243ab3a4554d46e29f67a93f216117003cba0e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
29da811578cdebb1180d73a20d001240

SHA1
6e8f00e89bc9cade713fbba397963c848649acae

SHA256
7e2205680c4afa75c117b40ebcb5f6b43e1b3037ca705788b820cb769bf6e7f0

SHA512
887bd18eb6181e7776ed27334917b1a942ceb1e60d1491dae61b080c002bccc05cab37c931aa85aa921033fdffdf62ebc86ad7fb6aec457083f98de3be0f8ef9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
29da811578cdebb1180d73a20d001240

SHA1
6e8f00e89bc9cade713fbba397963c848649acae

SHA256
7e2205680c4afa75c117b40ebcb5f6b43e1b3037ca705788b820cb769bf6e7f0

SHA512
887bd18eb6181e7776ed27334917b1a942ceb1e60d1491dae61b080c002bccc05cab37c931aa85aa921033fdffdf62ebc86ad7fb6aec457083f98de3be0f8ef9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
29da811578cdebb1180d73a20d001240

SHA1
6e8f00e89bc9cade713fbba397963c848649acae

SHA256
7e2205680c4afa75c117b40ebcb5f6b43e1b3037ca705788b820cb769bf6e7f0

SHA512
887bd18eb6181e7776ed27334917b1a942ceb1e60d1491dae61b080c002bccc05cab37c931aa85aa921033fdffdf62ebc86ad7fb6aec457083f98de3be0f8ef9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
29da811578cdebb1180d73a20d001240

SHA1
6e8f00e89bc9cade713fbba397963c848649acae

SHA256
7e2205680c4afa75c117b40ebcb5f6b43e1b3037ca705788b820cb769bf6e7f0

SHA512
887bd18eb6181e7776ed27334917b1a942ceb1e60d1491dae61b080c002bccc05cab37c931aa85aa921033fdffdf62ebc86ad7fb6aec457083f98de3be0f8ef9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
8001a1dad85c2564e2f1880ce8b10252

SHA1
706e23d96c4676323b239cfa7704d5c2eb10e69e

SHA256
3f4b5c6a0373f957333e6e3a260d9123edeebf595f48a374e98d994154aa1ad8

SHA512
ac2c1784a7bf8d105a9bd3cd53a6e5906720c1954774b834e354ec5c1c7ccda0c440afc1c962444a6733dc2b5f802f1db38b1bbf4dafe2122f8695e7614c99b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
797bb16590808581cbbd572c9806455a

SHA1
08d03d4c503038778efb786c30960a3bfde06b02

SHA256
e7ffaf6489a8eb66d51d43c31bd521f1f40ebb3365194e0e8a9cd6fe29249be9

SHA512
a2f50ffdc7858e28f7520c473ab0e4cd6afe7114d01da899b331eb801c51f33a73b8b6b27a2c0d19cb702ba43d1c217d5c8470a4eea2989cb7e4048bb3be4af8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
797bb16590808581cbbd572c9806455a

SHA1
08d03d4c503038778efb786c30960a3bfde06b02

SHA256
e7ffaf6489a8eb66d51d43c31bd521f1f40ebb3365194e0e8a9cd6fe29249be9

SHA512
a2f50ffdc7858e28f7520c473ab0e4cd6afe7114d01da899b331eb801c51f33a73b8b6b27a2c0d19cb702ba43d1c217d5c8470a4eea2989cb7e4048bb3be4af8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0b2bc577ff70f4624084d29404679d0d

SHA1
8ce3b51941eb85c65898bb08828a04c0791b4c52

SHA256
90080b358ff73693bff127ebddd55803bbe94dae20e8bbf164edfda7b9b21acc

SHA512
6bdfb4455b6289d8bd6b93db937000a6bdd5a9e9f3c52e9f75bc37ce5cb3dc2df972a86755badbdd719b52c05d51e5bdb7e70d0e3f24da8fcbc7a0b4d4051e16

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
9a92dc1405205b8df351908a19632a71

SHA1
b979ae594e65eb4949218b932bd75892bf50ef54

SHA256
05b05560bd1c415e48eccce155a151d83f0b6b4a7bfe71337a1eb5e455182a52

SHA512
c11aa241e11e4e6d81feb15415b1591909be2017107591431a95507db063d4e6d929c912eeb4feaaddfacaac930356158bd76062dc94b4b774ea74bfccb668fc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7cd839a4329672f06657b8b8dfc07896

SHA1
e3662842a639eda80eaed4a551778ddaee34f89e

SHA256
ef6e6bfabb127e5d05799dcb9d2888445e39e5b70f1c8602c9d1043aab7283c0

SHA512
7105eafaa873f0de58d4c6bd060acaacbfe1ded58dd9bc8647a9684f43110327fb43a16a7b91aeb88ee4d1cd3ee1680b28d2baf42554aa52ee84a6ec41833239

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8cff11076c5fa7d62b63b26b0186d26e\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
d3db781e392e1a3956e6befb3d0ff0a5

SHA1
18801b60390305891a7283bcb5f4b87a096bc5fb

SHA256
eadc3923ca933549398502d937b5ccb6ae06a4384a578e0e8e606e7d9bc4387c

SHA512
e9423442c1628179c9682ba0416267768bae78ca84e01f8d7740bf92a3e8429f5adb60fc222cf1a2b545ed65f12b40c371ab4b7f1b517d984c42a5dd99560a0a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ebda2993fbb9d85b8a4b9fa44e10d72f\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
b7e291d23f4fa5323dd1f81db9382a55

SHA1
e560b243499b40368c8101fdc34a15d7f06eb623

SHA256
787775615a0107fb0e5b41e30666b485e8c687024879d3857647146062bd296d

SHA512
4d7377ddbae0932063e738da758f945855d0f4335e2e18b076b61aaa5e2fb24ff18b7e719379cc40451bcf6fda149a45f4264fb2d66deccb06980a6d3583289d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
c5bd7876fd3aa85c926ed9c448761625

SHA1
cd14448a56c5be6d02e3340e09e3000a47ee0614

SHA256
4041cb3d5baaed7e33107049d628087c0906129f89be7989cdb1c84de5ed2f8c

SHA512
7217586ac36e38f103eb35472f8676d8701359ededdca372191c3d74a54303c4e31101041bdd52529dabac2dad4aa1262d0fe9b9215e1a3a007d4a0d48d542d8

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
293a6231f0e882ea60cf4e0586074563

SHA1
931b1152d16e20a1efe5b82522ed47e5321c2a55

SHA256
effc59de3c2a5c6799a7837883eb66e21cbfe471c21c3aaa3f0feeb3b9686875

SHA512
39a55b6927616f0edf6f0822968e25f6702ff9571ed7fca4b1e2842ce2eeeb4117e3e0ef69a3d1a3a4e50ac40243ab3a4554d46e29f67a93f216117003cba0e4

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7cd839a4329672f06657b8b8dfc07896

SHA1
e3662842a639eda80eaed4a551778ddaee34f89e

SHA256
ef6e6bfabb127e5d05799dcb9d2888445e39e5b70f1c8602c9d1043aab7283c0

SHA512
7105eafaa873f0de58d4c6bd060acaacbfe1ded58dd9bc8647a9684f43110327fb43a16a7b91aeb88ee4d1cd3ee1680b28d2baf42554aa52ee84a6ec41833239

Download Submit
memory/560-413-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/560-443-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/560-433-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/560-426-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/560-440-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/560-442-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/884-285-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/884-448-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/884-484-0x0000000074658000-0x000000007466D000-memory.dmp

Filesize
84KB

Download
memory/884-347-0x0000000074658000-0x000000007466D000-memory.dmp

Filesize
84KB

Download
memory/884-288-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/884-290-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/908-252-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/908-277-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/908-274-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/908-251-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/908-258-0x0000000001010000-0x0000000001070000-memory.dmp

Filesize
384KB

Download
memory/1352-246-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1352-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1352-341-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1352-240-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1644-270-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/1644-437-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1644-263-0x0000000000510000-0x0000000000577000-memory.dmp

Filesize
412KB

Download
memory/1644-264-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1676-120-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1736-558-0x00000000019F0000-0x0000000001A70000-memory.dmp

Filesize
512KB

Download
memory/1736-564-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1736-556-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-563-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1736-548-0x0000000000AC0000-0x0000000000B20000-memory.dmp

Filesize
384KB

Download
memory/1764-7-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1764-119-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1764-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1764-204-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1764-1-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2196-236-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2196-289-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2196-235-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2196-229-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2324-280-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2324-211-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2324-212-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2324-219-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2692-404-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2692-402-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2692-410-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-487-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-357-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2692-366-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2700-99-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2700-241-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2736-577-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2736-584-0x0000000001870000-0x00000000018F0000-memory.dmp

Filesize
512KB

Download
memory/2736-585-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-582-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-566-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2752-573-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2752-583-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2752-581-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2752-568-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2752-560-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2752-570-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2752-580-0x000007FEF4A40000-0x000007FEF53DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-227-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2832-39-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2832-62-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2832-40-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2832-61-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2880-200-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2880-109-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2880-108-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2880-103-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2880-102-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2996-596-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2996-591-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download