106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b

Analysis

max time kernel
157s
max time network
163s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
19-11-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
Size

1.8MB
MD5

aa3eca4fd662553510d3ec924dc983e4
SHA1

3ba559321814263dc54056ec4cc44a0657668316
SHA256

106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b
SHA512

0995dc2d34f8a77887a621ec0bf3024bb7ad98cc6b5dde89918cb4497a4b935d310a7f732456414c8b1b6cfc4b6bc584390b61284416b2cfa3d37fcc495865e0
SSDEEP

49152:wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WALe30jaNf1TWbdz:wvbjVkjjCAzJYU023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2876	alg.exe
980	aspnet_state.exe
1988	mscorsvw.exe
3048	mscorsvw.exe
1340	elevation_service.exe
2352	GROOVE.EXE
2628	maintenanceservice.exe
1292	OSE.EXE
556	mscorsvw.exe
1748	OSPPSVC.EXE
2780	mscorsvw.exe
2708	mscorsvw.exe
584	mscorsvw.exe
2172	mscorsvw.exe
1032	mscorsvw.exe
988	mscorsvw.exe
1620	mscorsvw.exe
2316	mscorsvw.exe
2476	mscorsvw.exe
2528	mscorsvw.exe
2932	mscorsvw.exe
2056	mscorsvw.exe
836	mscorsvw.exe
2480	mscorsvw.exe
892	mscorsvw.exe
1148	mscorsvw.exe
2868	mscorsvw.exe
1592	mscorsvw.exe
2976	mscorsvw.exe
2832	mscorsvw.exe
544	mscorsvw.exe
1204	mscorsvw.exe
852	mscorsvw.exe
1768	mscorsvw.exe
556	mscorsvw.exe
1216	mscorsvw.exe
1660	mscorsvw.exe
1440	mscorsvw.exe
2476	mscorsvw.exe
2540	mscorsvw.exe
1704	mscorsvw.exe
328	mscorsvw.exe
2232	mscorsvw.exe
1320	mscorsvw.exe
2028	mscorsvw.exe
2452	mscorsvw.exe
2148	mscorsvw.exe
1464	mscorsvw.exe
1356	mscorsvw.exe
2572	mscorsvw.exe
2496	mscorsvw.exe
2632	mscorsvw.exe
1612	mscorsvw.exe
2672	mscorsvw.exe
2232	mscorsvw.exe
1744	mscorsvw.exe
2624	mscorsvw.exe
1904	mscorsvw.exe
2952	mscorsvw.exe
776	mscorsvw.exe
1356	mscorsvw.exe
3052	mscorsvw.exe
2540	mscorsvw.exe

Loads dropped DLL 29 IoCs

pid	Process
468	Process not Found
2476	mscorsvw.exe
2476	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
2028	mscorsvw.exe
2028	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe
1356	mscorsvw.exe
1356	mscorsvw.exe
2496	mscorsvw.exe
2496	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe
2232	mscorsvw.exe
2232	mscorsvw.exe
2624	mscorsvw.exe
2624	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
1356	mscorsvw.exe
1356	mscorsvw.exe
2540	mscorsvw.exe
2540	mscorsvw.exe
1612	mscorsvw.exe
1612	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3e242929263a7f60.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_sl.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_te.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_no.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\GoogleUpdateSetup.exe	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_ml.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_sv.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_lv.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\psmachine.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{32AC3C1E-1D77-4453-A97C-1A59B69FA808}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM6893.tmp\goopdateres_hu.dll	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D5A.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA074.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP95AB.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8640.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP78C8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP823A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA812.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2540	106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeDebugPrivilege	2876	alg.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeDebugPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	1988	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 556	1988	mscorsvw.exe	35
PID 1988 wrote to memory of 556	1988	mscorsvw.exe	35
PID 1988 wrote to memory of 556	1988	mscorsvw.exe	35
PID 1988 wrote to memory of 556	1988	mscorsvw.exe	35
PID 1988 wrote to memory of 2780	1988	mscorsvw.exe	37
PID 1988 wrote to memory of 2780	1988	mscorsvw.exe	37
PID 1988 wrote to memory of 2780	1988	mscorsvw.exe	37
PID 1988 wrote to memory of 2780	1988	mscorsvw.exe	37
PID 1988 wrote to memory of 2708	1988	mscorsvw.exe	39
PID 1988 wrote to memory of 2708	1988	mscorsvw.exe	39
PID 1988 wrote to memory of 2708	1988	mscorsvw.exe	39
PID 1988 wrote to memory of 2708	1988	mscorsvw.exe	39
PID 1988 wrote to memory of 584	1988	mscorsvw.exe	41
PID 1988 wrote to memory of 584	1988	mscorsvw.exe	41
PID 1988 wrote to memory of 584	1988	mscorsvw.exe	41
PID 1988 wrote to memory of 584	1988	mscorsvw.exe	41
PID 1988 wrote to memory of 2172	1988	mscorsvw.exe	42
PID 1988 wrote to memory of 2172	1988	mscorsvw.exe	42
PID 1988 wrote to memory of 2172	1988	mscorsvw.exe	42
PID 1988 wrote to memory of 2172	1988	mscorsvw.exe	42
PID 1988 wrote to memory of 1032	1988	mscorsvw.exe	43
PID 1988 wrote to memory of 1032	1988	mscorsvw.exe	43
PID 1988 wrote to memory of 1032	1988	mscorsvw.exe	43
PID 1988 wrote to memory of 1032	1988	mscorsvw.exe	43
PID 1988 wrote to memory of 988	1988	mscorsvw.exe	44
PID 1988 wrote to memory of 988	1988	mscorsvw.exe	44
PID 1988 wrote to memory of 988	1988	mscorsvw.exe	44
PID 1988 wrote to memory of 988	1988	mscorsvw.exe	44
PID 1988 wrote to memory of 1620	1988	mscorsvw.exe	45
PID 1988 wrote to memory of 1620	1988	mscorsvw.exe	45
PID 1988 wrote to memory of 1620	1988	mscorsvw.exe	45
PID 1988 wrote to memory of 1620	1988	mscorsvw.exe	45
PID 1988 wrote to memory of 2316	1988	mscorsvw.exe	46
PID 1988 wrote to memory of 2316	1988	mscorsvw.exe	46
PID 1988 wrote to memory of 2316	1988	mscorsvw.exe	46
PID 1988 wrote to memory of 2316	1988	mscorsvw.exe	46
PID 1988 wrote to memory of 2476	1988	mscorsvw.exe	47
PID 1988 wrote to memory of 2476	1988	mscorsvw.exe	47
PID 1988 wrote to memory of 2476	1988	mscorsvw.exe	47
PID 1988 wrote to memory of 2476	1988	mscorsvw.exe	47
PID 1988 wrote to memory of 2528	1988	mscorsvw.exe	48
PID 1988 wrote to memory of 2528	1988	mscorsvw.exe	48
PID 1988 wrote to memory of 2528	1988	mscorsvw.exe	48
PID 1988 wrote to memory of 2528	1988	mscorsvw.exe	48
PID 1988 wrote to memory of 2932	1988	mscorsvw.exe	49
PID 1988 wrote to memory of 2932	1988	mscorsvw.exe	49
PID 1988 wrote to memory of 2932	1988	mscorsvw.exe	49
PID 1988 wrote to memory of 2932	1988	mscorsvw.exe	49
PID 1988 wrote to memory of 2056	1988	mscorsvw.exe	50
PID 1988 wrote to memory of 2056	1988	mscorsvw.exe	50
PID 1988 wrote to memory of 2056	1988	mscorsvw.exe	50
PID 1988 wrote to memory of 2056	1988	mscorsvw.exe	50
PID 1988 wrote to memory of 836	1988	mscorsvw.exe	51
PID 1988 wrote to memory of 836	1988	mscorsvw.exe	51
PID 1988 wrote to memory of 836	1988	mscorsvw.exe	51
PID 1988 wrote to memory of 836	1988	mscorsvw.exe	51
PID 1988 wrote to memory of 2480	1988	mscorsvw.exe	52
PID 1988 wrote to memory of 2480	1988	mscorsvw.exe	52
PID 1988 wrote to memory of 2480	1988	mscorsvw.exe	52
PID 1988 wrote to memory of 2480	1988	mscorsvw.exe	52
PID 1988 wrote to memory of 892	1988	mscorsvw.exe	53
PID 1988 wrote to memory of 892	1988	mscorsvw.exe	53
PID 1988 wrote to memory of 892	1988	mscorsvw.exe	53
PID 1988 wrote to memory of 892	1988	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe
"C:\Users\Admin\AppData\Local\Temp\106bb4358c96a2f5e8c809996cf92a01a5215109b7c9861a0c2d055fef218c4b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 268 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 254 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 25c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 244 -NGENProcess 1d0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 1c4 -NGENProcess 2cc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b0 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2dc -NGENProcess 2b0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 298 -NGENProcess 2e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 2e8 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b0 -NGENProcess 2ec -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f4 -NGENProcess 2e4 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2cc -NGENProcess 2e4 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 298 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 298 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 304 -NGENProcess 300 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 314 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 298 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 320 -NGENProcess 2dc -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2c4 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 328 -NGENProcess 324 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 32c -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 304 -NGENProcess 330 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 330 -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 334 -NGENProcess 2dc -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 338 -NGENProcess 2dc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 318 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 338 -NGENProcess 344 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1340

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2628

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1292

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
a218c666fb4c2ba8a934b5fe5a3a9f69

SHA1
41f46aea66b48b664f86a7fd12ad34e7ac7681a8

SHA256
cdb7d20f39b6b8e0a4f437b2013fb7a20fade17bf5b5956c23a24a3cc8f57d50

SHA512
8c761a901ab554fee0b92a27a717b032ec09cd4909116154cc61ae587f62de6ffac9a36b9a72a8b447b2a24c59b4b45d399c489b85c4b9a301b9dd5c18a02c64

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
bf4929b7cab7774a4042a480cecef51e

SHA1
341f1d32e97f6e35f71499ebfb2ece31e5ebd556

SHA256
f5f8dc75891c6e5e172793b0bd3eb34ef44bece1e08e486a675d1286df5b772c

SHA512
f3982cb5e6103253df499464bf03d6a05678941a66435595a7509b4f17fa874b1d4908b99374ae26588305ef43478d481e0549dc6101f7cbcec5ee2e427c3e99

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
9bb27292194ec1f0aadb1b915ef70091

SHA1
2a247e1cdcf669080b8dbeb3b49c0d123f094dc8

SHA256
ff0e59f0f2613358dd1af4bf5195962588825a8035d3e082cf2266b89f56a63c

SHA512
ad1e7199be81d3fbde8fb6179177849ddde3df764c2b7209acba527250c92cb639aa3e03a7803dab86ace5292176294d05c61577f5fba45a473e2ac6f4782fd0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
2.0MB

MD5
ec2683042f140e5fde620e8cad569de7

SHA1
93dd4c65133cd9f39005fe2df85dcec005f692d1

SHA256
5a419645a645f8244d805262ac88c6afc2178c9b049c299446299e14869ab40e

SHA512
b4585e48bff42845da2807a92b773f7698c876ce144586b8b8b9859b0e621935a638a46731c668cf5b8792554c286439ecb245fc0c6462388e130042c0680fbc

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
9b706e98f3627d54bbc0239966fd9bb0

SHA1
23cdb0cda7a702b1cf310750dbb2d7d5027b4036

SHA256
7156f6248f97463ea5bcb470f2331a5307f29c303c862c976faaab2349e0175e

SHA512
f433d4edc12f1e62646293da9379140246224cad8fe1722dd018fb1b5adeb3af9812cf0e602ed4e0ee0f81798b86cdf2054a071788833455917da6a0602cf655

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e5a013d47903e608f5f16aea3306fb3c

SHA1
a3d649c15944b57700b85d9c750b9f1d92ce25a8

SHA256
30fbb24450e5e154ee9cb62cdbf13ec5ef52207ee52ffe225fa29aa99e060db4

SHA512
e05b2fece3aaa6d99aafb0e3d34693d02c7b63b3c07199d56af4895b4af905966f79529c4684dbbe66b05c5f1a5fb89f1ee59d996ba522191b3391de942cb17d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2a9f4e88cf4ed7ca7e2220bea44d23b6

SHA1
77b1de2357c7a0d4cd34771306cb37b2bce31f03

SHA256
ed695039f814ed90fdca7f6ab6bbe23fe100ca8d860294fc848f64f58720d081

SHA512
9e69e2424acba060dc2987edd88b7fd7495527de8e67049235bc3e4c26d589f3be457e88354ecd15bac51749f9ececd342bf62b0281d2146a4a86eb5814f44b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2a9f4e88cf4ed7ca7e2220bea44d23b6

SHA1
77b1de2357c7a0d4cd34771306cb37b2bce31f03

SHA256
ed695039f814ed90fdca7f6ab6bbe23fe100ca8d860294fc848f64f58720d081

SHA512
9e69e2424acba060dc2987edd88b7fd7495527de8e67049235bc3e4c26d589f3be457e88354ecd15bac51749f9ececd342bf62b0281d2146a4a86eb5814f44b3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
09e4d5efdbe607e2485cf1d9ce7d4e70

SHA1
1a0a451dd3dd20e06a41c71ce62f781ccbdeab0a

SHA256
5fa21c6539b3af457303c93d66c75e7c209c91f90355b02ddab652f61281f582

SHA512
6f8460f9f85205bf25f7b61a91793ee5e2726e3d9f6b6ee0a42a525b712367d0c2908a03c961ed334042bdad3a665be6c88209255ef4721176672b4072624905

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
27c62b000cb48bf88f635d79abdc9262

SHA1
e1b8a8a2ad0c779cebeddfc78092a708711d0ff1

SHA256
87f9ec3d67a9032f66e636fccc876d96747b2f88f2adb5d86df86177fe9bbb49

SHA512
23fd1c349a89f434bbc2f8977892c8815d3c82f2423bfde60f98721461e31eeb5e2c9f74e62c2580fd8dcdc94b5041bfc3db5986b531a13810509ae53bb0d652

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
5ded4617a7bce77de06ab9bcbb35e0ff

SHA1
1534819260792009dac92e3c0239237a74ffba61

SHA256
665d6a5d3e7b1f68f3bfeea23b9d29ec994740ff05b3f1cdacd51703fadf2fb7

SHA512
2016ed57b478b9acc84b6cafc5b775e6011cbb38a6ffcbad04780c44b5f5783de7746800b83424313ddacadb5428689542b1cb392dd3c28e87f2deef89774234

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
de6117d36af611361e8b61471511ed20

SHA1
2fb27b07d2304bbdaf580a27ceca9696d53b57db

SHA256
e357b162bcb82850a7b84e7f879bbc1feaae7dc542a26d9df94e172e872494c8

SHA512
948cc5558d9f8643e8a76f36f116620c002d9b3dfc27629fcc30f9e5af16762a90592eb132c42dc2793f3529d31716e34f63f65b51da668239b7d85147c6e2f3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
53c61a6d74868fac0fef4dee24e04599

SHA1
b092ebc5420a6eface4b21e07095ff7f56e47c9c

SHA256
886607a55a17337e88c3d484317123945a8677aef1bd3111cb710f2561e0db17

SHA512
bb076a5232aa9d50096a2a22116de5585ef2f97693bca1bb144d8518e6c58c0318700399f7fe02c77f39cde710f0c4b48994b592d6756657b058194bd3b3fee6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e56d7e57ffb24e985d0d964a105a6410

SHA1
047f7be7d903674892d39c4cfda90de808ba24a3

SHA256
ee507718327b636855e63feb301923baf0f3e0747253540f1bb159c2a82504a6

SHA512
4839d95d63fdd440c4aa83353e372d85d7a62885599fca285a5cabeb98dedcf19f4ab54389226cc4f01f5f67701800e2c413b8da6bf6f1e94cca34fdfba4da04

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8fe60b2498a0bc891fb8a170259c6a72

SHA1
331d76cb841688694d132222d4d4b5541118549c

SHA256
6089876feac0553f1b2180a31ceac1fb4a34e0123979ee5e323582089487776a

SHA512
c18b6bb03da6a174d03c664e3104f694869faf2d48c4baebd0d6372d6bc49e834698dd5eb66738a0b3f665ab4597d15c7244f23ddd0180434250abc8e51f0322

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1f2cd80d5aed80ccc379f865391c1854

SHA1
6c01fe4f6347157949f14598c189da383fd4219a

SHA256
c5575b2ea808baad17beb7e544f0cc911e199418a168d5bb5c21be75494a07b7

SHA512
2ffb9eb97649a24245473581923a42b7732138629b54ef59ba168ae4c6348ea8ae9b4d6f4fd31521799c1bdbe564fd821177e2be43ccf47060040ce82e15eb3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4a9eb833f6ca23705d60ad0eefaf9812

SHA1
eb564b690252907048281678a8f8752ab1ad8091

SHA256
180a3d350e4a210bec92c088221f7ddc1d7091dd08a1fb99861e35cbdeb84997

SHA512
9d0269cbba64702c6601df0c774b640b829a46964b5a8b252b66b48f0103ded540caa410b18028850d1da6b49da6ce54cbe82c50a2dd4e68188bab2a77192e60

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
25ea7d522efc3e1dfe8a0b0b59c3c3bf

SHA1
861aaa3e4f875779949ee6f0678bf4f42b103e9a

SHA256
26fe2571f673963886a918de073659d786cc323fc735d5a081e8fa700d61ce31

SHA512
a33ea56d6f04f9feb54ef765b3d902b64df37539ad4d764d2d5ba3c7a9509a4e443f7a8dd4f4e5db0da87c72774fc6be1a8baab702a5065bb2d5afae2350ab13

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
8e4a04d7785a769da998ddcf19abb72c

SHA1
c6877638d2ea2d09f15ae6c675052e3de8905f3e

SHA256
be118bba2202d65ac3584ad4b40a9d60e2ba19d0d2df44cde0cbc29db4171a89

SHA512
cbb078dac1664a5139f4db9e6b94cf0e0774bc3e46193f179a773c825bf84011312446e8b85705dd8d84ffb3f60ad9ff01a21fa23a10bec91c52da428c0e3a42

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.5MB

MD5
e97e1b90016f49dbf3e1bb03a848e4c2

SHA1
15af7f3719fa0a5c26fff742121ad4905c0e6b36

SHA256
1c19f0fff4c1b6192fd1cb2480f44ee51e7d2ab0bd8c6393a621be902485a61d

SHA512
67ae5cb341ab8060cdfaa4f2220792c7a16e51a16d4c0be59c097f1ed4d65fd5ed08a4a4695925f2acfd6d74991a097e48eb00341e2fa113568f05348876ff4e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.5MB

MD5
d2ba9fca944d2d886913fd6c34781dd9

SHA1
a3dc2808b8d8922b3269fcb01a1040f7a3961d9b

SHA256
beb91d19bb306480bb7c4f33d419ac59542b85d2478e5ee39633867e3b6046b4

SHA512
2684f3964b98218a572686289fc26fb4ed663067cd9aaa142c6d8512bfc43b6437be7e317950ed721b09eed2291fc28b7e33460b2b4cde5d767b792b3d17e18d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.5MB

MD5
0350d75c2693068ee78e494b251d0624

SHA1
cd9fb3bc2a04345d59cbb5e2801010c8de83d724

SHA256
95298faaf480631b04fadf37fcd1e9fc3e76667ed321c8102d610bfb2ca5690f

SHA512
b790d539143b4c2813f52014fb3828ee8853041a8f4438d1ca39d17aa70fb4304e134bbb0e7521c4d4b592e7f24e06473148faf86ffddcadd9716e847fd1a0b9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.5MB

MD5
a51d0ad153d4daaffc84293547e6d466

SHA1
da0ef6c8646d7c742b684ad2526709172f372108

SHA256
df058323c012bbbacc5c40e5d9c2801ffa57874090a3360c3bacd2de2feb2fc9

SHA512
188b0e541ca8fb8637e865249c65a77966a4d42b5c36684a073b629837fd049d4479bf2e60c9d867584256c2f518dcff258389b3a4df8af088a35a9b89c0919c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.5MB

MD5
3c9d5a441128ee3f041d57165de28a1c

SHA1
8b4074122359d6a4aef610b8b888f125afd62382

SHA256
4bde57bba3648b10567aeaf7d3caa3a848e5f46e5b989edf19091a68dd573e16

SHA512
fc95e48e92ec60ce47559345ece4babd4da79bc8f4c652953c719e49767117ef90eef601a3a09540ad7ca47b0256b420fb79a31e6884792c14b3389a78f05691

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.5MB

MD5
6acb71b08c0070369c4bbbbd12213d68

SHA1
3e9c32d7d0c93d02debdb992aac233fad6a6894e

SHA256
10f6d2b858157fbd89ecf7175b5b371297972c03dbf9f9a5b17f534dbc689e05

SHA512
f93c5e5fa7c4cdf4bb899dd7666d6adfdd85c042d3b85df4b01c7154b87dc6a7c9cb42772dee3c8bd3cf34c71b44294e46af4c33d45aedf8fbdd08cd4552215b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.5MB

MD5
61539ce265b34a0163dcd63dd296eb1f

SHA1
36e2334bf7ece175c4f966822abe3976acf2b8bd

SHA256
0d12ea3c06ade419fdf5a79d70380a314490e0913dba00f1103191363224af9b

SHA512
39c7fa370f11fc61277ae3110701563d4f365266bee99c32c412e2c532a32f2c10e8280d087d43e7745d20a33604f8f2ff17c830324a13ddfcd3b5b2cf445c0d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
1.5MB

MD5
cecc65d58faee169826e54ece954623e

SHA1
63e455a11acfe70b1e2ba2c2280bd5212acd7e68

SHA256
fda6a018136751ef52be7635478d80b6afa1260f3b60c96f4be4cd04758f8c8d

SHA512
e5a02f4a2c9057b13bd1d39ad67e1d5ccdc9a4ffed2a5b7ab9ce57d0d0db33e94bfd628a5fb2e96c11af710b3448a33b131ce761742e9fe25fdd91e9dd7153ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
1.7MB

MD5
0dc1d0a5fdc0619401f5686d2a14d527

SHA1
e8f342e01173a92bebd7a4334e656494e8ac2090

SHA256
3618a916d6acc6dcb4cfdcfd55e7abdcc6de3351c36aa95f6c31975d2b658bea

SHA512
1ef270cf711992c7e3da9f3ab47948a2184a42a49e8a7dfb862398d41bcd17be9e8389e5cd58db870aeda0c1e88c5093f613762c25fdac994796c9d8bac45c55

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
1.5MB

MD5
7640b71b96e1775aef48cec3102ab00c

SHA1
f7072357c9877c3f230bc6e65e208458afafcbf9

SHA256
a8b6464a33ebe857d5d0024753b6d52e8dddd71e38abe67370f8c7edb929ea52

SHA512
305172839103c594e5aadf77c9ac38e4899d4ada9aa81b62cf5326d2df7ca402ba0b939afd2cf1ca1a597bc71fdc0ba82b56122cb5caceef8b957479621d5647

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
1.5MB

MD5
c57eac3beb99d6e31835a904ef7128a1

SHA1
494835958b7be2c13ba8d617c7a793d7690e5b6a

SHA256
32f424e3fffc013bca56078d000aed6f4336c6e4ec983f39c7672654d146558e

SHA512
9647fcff0ba4c508d20900e56ba76d94c07d41d76038b41ca2d948b867645ebeb4dcb547271d823e4a2b57481dbaf83d72d793744c86dbc83f452efac162bb75

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
033650137eb72a75b3016a8d6bc57325

SHA1
30a1d2e337fed50038d09d703316e4340c4055e7

SHA256
da997531297245a438af18bf25f2f3ef06f9a691cc942e5a8c8dc8b1401fa467

SHA512
548a33dccbe1cf41c08ee30a10a322cebbd9bb03a39a2f9dd2abd69a02b6d17f75a5f744a7d5f543776e55e592a8c3ac74419b699ebaa83632a8ff5f85d08294

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
7d619b4c079066ff8d6c865b9e2630dd

SHA1
8063fb443ef875e402ce3e0afcc438b20f80d91f

SHA256
05cbf206140d8791b2e561d3c4da6a6d7a2e85ac942baf6676238ef233fe35ac

SHA512
162f6f34fa58a4c98898cbed27ddcbdfb5c5737c861ef04422b65ce7386d2a06b638b3c050c38537489367c31594c0f5e5f185fd611daff3ae45543641da5788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
7d619b4c079066ff8d6c865b9e2630dd

SHA1
8063fb443ef875e402ce3e0afcc438b20f80d91f

SHA256
05cbf206140d8791b2e561d3c4da6a6d7a2e85ac942baf6676238ef233fe35ac

SHA512
162f6f34fa58a4c98898cbed27ddcbdfb5c5737c861ef04422b65ce7386d2a06b638b3c050c38537489367c31594c0f5e5f185fd611daff3ae45543641da5788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
7d619b4c079066ff8d6c865b9e2630dd

SHA1
8063fb443ef875e402ce3e0afcc438b20f80d91f

SHA256
05cbf206140d8791b2e561d3c4da6a6d7a2e85ac942baf6676238ef233fe35ac

SHA512
162f6f34fa58a4c98898cbed27ddcbdfb5c5737c861ef04422b65ce7386d2a06b638b3c050c38537489367c31594c0f5e5f185fd611daff3ae45543641da5788

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
7d619b4c079066ff8d6c865b9e2630dd

SHA1
8063fb443ef875e402ce3e0afcc438b20f80d91f

SHA256
05cbf206140d8791b2e561d3c4da6a6d7a2e85ac942baf6676238ef233fe35ac

SHA512
162f6f34fa58a4c98898cbed27ddcbdfb5c5737c861ef04422b65ce7386d2a06b638b3c050c38537489367c31594c0f5e5f185fd611daff3ae45543641da5788

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
65481202037aa0910fc6ec2245835f09

SHA1
2ff0389e2c55ef8a25e7f815070e7dffc6835948

SHA256
6b2fc1da1ab6c518065c691a5b994ca67c4283dceb0c582ae8539631a31e9377

SHA512
7b1aa595fe0874e14b4cee5d5639dd2471c15da45fc859fb7c6fc33b8b3664528d3ccaf543a3eef1b81b6697c1ddc92c347c117857ba1591b641f9879c7ea33a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
2a0cad8e4bce55e8b930ca0b09810e1b

SHA1
4d2060c2e972022bff804b26d4bf0d57d1fcbc00

SHA256
3f860c7661d2e7c11a9ad82c797a577097f5b38481cd494d44e3a1b99240895d

SHA512
930d29df94aacf1f39a120b327141e8acd0da634a2975bc9cf5ff19c83c0a5f7cafa65ef520730c51e1dcab62325e10d7f1c9ebcf421963c7fdbe13f644eb58b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
dd62a92119f3b70e2dfa25da7f52e3f7

SHA1
910f7e58a06f79cc3cca9c8d8145ad360a27e895

SHA256
a4c60d515f6a1ea9dbddf58441e571389d8809f6f515bef0064c96459d7a4c45

SHA512
9cd32e25179ced4524038f767bf2217fb579ce7c1215d047133f758fd2049e3c3d760cfa6be91aa495de00129739e395c6ad90e9e690b07c68adf4e3c8751313

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
199a4ae50739fe917d632f4ac24b27bf

SHA1
add4d024860cdfae4c8f7028f899149ebf767581

SHA256
5f8fdf110661554c56b631a256effe395a603b6dd14c046ccac8330d8aa9e70e

SHA512
3d117af87599190804f0477431578fab23ae3d16d695d2ba12fdb319abdf327124437e60efcf3c84a3fa0751b479f8c1f5da2af86ed96da597f5de002bf37c5c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\45bc170fe905f45260ac227326a7b0f9\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
f9086bc1833b34b42485f9d0fb500f5d

SHA1
e601bd4237530e96c8184f9b0a837a3df622a00f

SHA256
feb499a88404ddcaf9c536696fe91778953c904b1e294d02429a03bfd71d1d96

SHA512
e1bf3cd04e754b377f073ec5d8da2f193ce43a4af68cb07fc253b75e528b81098e0dbfc6794f75aee314be432eeadec9d1bbdcb7bd38122b93958724aca1cea8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
033650137eb72a75b3016a8d6bc57325

SHA1
30a1d2e337fed50038d09d703316e4340c4055e7

SHA256
da997531297245a438af18bf25f2f3ef06f9a691cc942e5a8c8dc8b1401fa467

SHA512
548a33dccbe1cf41c08ee30a10a322cebbd9bb03a39a2f9dd2abd69a02b6d17f75a5f744a7d5f543776e55e592a8c3ac74419b699ebaa83632a8ff5f85d08294

Download Submit
\Windows\System32\alg.exe

Filesize
1.6MB

MD5
199a4ae50739fe917d632f4ac24b27bf

SHA1
add4d024860cdfae4c8f7028f899149ebf767581

SHA256
5f8fdf110661554c56b631a256effe395a603b6dd14c046ccac8330d8aa9e70e

SHA512
3d117af87599190804f0477431578fab23ae3d16d695d2ba12fdb319abdf327124437e60efcf3c84a3fa0751b479f8c1f5da2af86ed96da597f5de002bf37c5c

Download Submit
memory/556-303-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/556-259-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/556-268-0x0000000000BA0000-0x0000000000C07000-memory.dmp

Filesize
412KB

Download
memory/556-282-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/556-302-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/584-396-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/584-428-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/584-429-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/584-379-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/584-404-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/980-94-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/980-228-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/988-476-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/988-490-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/988-487-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1032-437-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1032-459-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1032-466-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/1032-488-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1032-489-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/1292-300-0x000000002E000000-0x000000002E1A5000-memory.dmp

Filesize
1.6MB

Download
memory/1292-247-0x000000002E000000-0x000000002E1A5000-memory.dmp

Filesize
1.6MB

Download
memory/1292-248-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1292-253-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/1340-203-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1340-210-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1340-211-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1340-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1340-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1748-278-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/1748-271-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1748-420-0x00000000746B8000-0x00000000746CD000-memory.dmp

Filesize
84KB

Download
memory/1748-393-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1748-280-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1748-285-0x00000000746B8000-0x00000000746CD000-memory.dmp

Filesize
84KB

Download
memory/1748-347-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1988-173-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1988-237-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1988-172-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1988-179-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1988-178-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2172-438-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2172-424-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2172-427-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-407-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2172-463-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-279-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2352-223-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2352-216-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2352-221-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2540-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2540-7-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2540-1-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2540-168-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2628-227-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2628-238-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2628-244-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2628-233-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2628-239-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2628-242-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2708-314-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2708-401-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2708-337-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2708-400-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-348-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-295-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2780-342-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-330-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2780-306-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-305-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2876-56-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2876-214-0x0000000100000000-0x0000000100194000-memory.dmp

Filesize
1.6MB

Download
memory/2876-44-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2876-45-0x0000000100000000-0x0000000100194000-memory.dmp

Filesize
1.6MB

Download
memory/3048-195-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3048-254-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3048-194-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/3048-187-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3048-188-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download