bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
20/11/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
Size

1.8MB
MD5

50f80b53a6393aa0281fee1bc6425acd
SHA1

03f152a2db63f8c7cc1222c50b3b3bfb9be99740
SHA256

bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6
SHA512

047925296cefd78f672e54d88d63d2c8f1ac5e53e9042cc5e8bc2942976393d0a86a3d248c6651466c5adde16adc4521ec6e5b62488e4af38ae90e64fbc38774
SSDEEP

49152:dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAQ/snji6attJM:dvbjVkjjCAzJdEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
472	Process not Found
2604	alg.exe
2848	aspnet_state.exe
2932	mscorsvw.exe
1800	mscorsvw.exe
324	mscorsvw.exe
544	mscorsvw.exe
1792	elevation_service.exe
2196	GROOVE.EXE
604	maintenanceservice.exe
2344	OSE.EXE
2988	OSPPSVC.EXE
792	mscorsvw.exe
1756	mscorsvw.exe
1980	mscorsvw.exe
1188	mscorsvw.exe
1300	mscorsvw.exe
2992	mscorsvw.exe
2068	mscorsvw.exe
2764	mscorsvw.exe
2752	mscorsvw.exe
1052	mscorsvw.exe
1656	mscorsvw.exe
2640	mscorsvw.exe
1996	mscorsvw.exe
2348	mscorsvw.exe
2104	mscorsvw.exe
2128	mscorsvw.exe
1468	mscorsvw.exe
3020	mscorsvw.exe
2012	mscorsvw.exe
2832	mscorsvw.exe
2508	mscorsvw.exe
3068	mscorsvw.exe
304	mscorsvw.exe
1472	mscorsvw.exe
2884	mscorsvw.exe
2924	mscorsvw.exe
436	mscorsvw.exe
1188	mscorsvw.exe
1452	mscorsvw.exe
2588	mscorsvw.exe
2832	mscorsvw.exe
2556	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
472	Process not Found
472	Process not Found
2832	mscorsvw.exe
2832	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a70b989f54788660.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\GoogleUpdateCore.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\GoogleUpdateBroker.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\GoogleUpdateOnDemand.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_is.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_cs.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdate.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_el.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\GoogleUpdateSetup.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1C9A7525-DD83-4D3E-A997-7B96D14249B1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_ro.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_en-GB.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_pl.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3FED.tmp\goopdateres_sk.dll	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP83D0.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2440	bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeDebugPrivilege	2604	alg.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeDebugPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe
Token: SeShutdownPrivilege	544	mscorsvw.exe
Token: SeShutdownPrivilege	324	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 792	324	mscorsvw.exe	39
PID 324 wrote to memory of 792	324	mscorsvw.exe	39
PID 324 wrote to memory of 792	324	mscorsvw.exe	39
PID 324 wrote to memory of 792	324	mscorsvw.exe	39
PID 324 wrote to memory of 1756	324	mscorsvw.exe	40
PID 324 wrote to memory of 1756	324	mscorsvw.exe	40
PID 324 wrote to memory of 1756	324	mscorsvw.exe	40
PID 324 wrote to memory of 1756	324	mscorsvw.exe	40
PID 324 wrote to memory of 1980	324	mscorsvw.exe	41
PID 324 wrote to memory of 1980	324	mscorsvw.exe	41
PID 324 wrote to memory of 1980	324	mscorsvw.exe	41
PID 324 wrote to memory of 1980	324	mscorsvw.exe	41
PID 324 wrote to memory of 1188	324	mscorsvw.exe	42
PID 324 wrote to memory of 1188	324	mscorsvw.exe	42
PID 324 wrote to memory of 1188	324	mscorsvw.exe	42
PID 324 wrote to memory of 1188	324	mscorsvw.exe	42
PID 324 wrote to memory of 1300	324	mscorsvw.exe	43
PID 324 wrote to memory of 1300	324	mscorsvw.exe	43
PID 324 wrote to memory of 1300	324	mscorsvw.exe	43
PID 324 wrote to memory of 1300	324	mscorsvw.exe	43
PID 324 wrote to memory of 2992	324	mscorsvw.exe	44
PID 324 wrote to memory of 2992	324	mscorsvw.exe	44
PID 324 wrote to memory of 2992	324	mscorsvw.exe	44
PID 324 wrote to memory of 2992	324	mscorsvw.exe	44
PID 324 wrote to memory of 2068	324	mscorsvw.exe	45
PID 324 wrote to memory of 2068	324	mscorsvw.exe	45
PID 324 wrote to memory of 2068	324	mscorsvw.exe	45
PID 324 wrote to memory of 2068	324	mscorsvw.exe	45
PID 324 wrote to memory of 2764	324	mscorsvw.exe	46
PID 324 wrote to memory of 2764	324	mscorsvw.exe	46
PID 324 wrote to memory of 2764	324	mscorsvw.exe	46
PID 324 wrote to memory of 2764	324	mscorsvw.exe	46
PID 324 wrote to memory of 2752	324	mscorsvw.exe	47
PID 324 wrote to memory of 2752	324	mscorsvw.exe	47
PID 324 wrote to memory of 2752	324	mscorsvw.exe	47
PID 324 wrote to memory of 2752	324	mscorsvw.exe	47
PID 324 wrote to memory of 1052	324	mscorsvw.exe	48
PID 324 wrote to memory of 1052	324	mscorsvw.exe	48
PID 324 wrote to memory of 1052	324	mscorsvw.exe	48
PID 324 wrote to memory of 1052	324	mscorsvw.exe	48
PID 324 wrote to memory of 1656	324	mscorsvw.exe	49
PID 324 wrote to memory of 1656	324	mscorsvw.exe	49
PID 324 wrote to memory of 1656	324	mscorsvw.exe	49
PID 324 wrote to memory of 1656	324	mscorsvw.exe	49
PID 324 wrote to memory of 2640	324	mscorsvw.exe	50
PID 324 wrote to memory of 2640	324	mscorsvw.exe	50
PID 324 wrote to memory of 2640	324	mscorsvw.exe	50
PID 324 wrote to memory of 2640	324	mscorsvw.exe	50
PID 324 wrote to memory of 1996	324	mscorsvw.exe	51
PID 324 wrote to memory of 1996	324	mscorsvw.exe	51
PID 324 wrote to memory of 1996	324	mscorsvw.exe	51
PID 324 wrote to memory of 1996	324	mscorsvw.exe	51
PID 324 wrote to memory of 2348	324	mscorsvw.exe	52
PID 324 wrote to memory of 2348	324	mscorsvw.exe	52
PID 324 wrote to memory of 2348	324	mscorsvw.exe	52
PID 324 wrote to memory of 2348	324	mscorsvw.exe	52
PID 324 wrote to memory of 2104	324	mscorsvw.exe	53
PID 324 wrote to memory of 2104	324	mscorsvw.exe	53
PID 324 wrote to memory of 2104	324	mscorsvw.exe	53
PID 324 wrote to memory of 2104	324	mscorsvw.exe	53
PID 324 wrote to memory of 2128	324	mscorsvw.exe	54
PID 324 wrote to memory of 2128	324	mscorsvw.exe	54
PID 324 wrote to memory of 2128	324	mscorsvw.exe	54
PID 324 wrote to memory of 2128	324	mscorsvw.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe
"C:\Users\Admin\AppData\Local\Temp\bd982f39f35ae9263fe7ec38a30a3a0516826f8e56848f260b74e901f3b1a8f6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 25c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 238 -NGENProcess 1d4 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 284 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 248 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 278 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d0 -NGENProcess 1c0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 2b4 -NGENProcess 268 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b4 -NGENProcess 1d0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 244 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 1d0 -NGENProcess 2ac -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1d0 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 154 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 154 -NGENProcess 15c -Pipe 16c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1792

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2196

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:604

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2344

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
9cfccf3d478a75b7de35827e7223ed71

SHA1
191199e50a3990eb0246c161e1142ad3316ed0f7

SHA256
e40914e67d3210977ef39e7b86c6fb2530be8c43af27840e6bc21fb8859afa21

SHA512
437bbbac11a9af9315bb043c08e48c08ec8db06c08e2d4ac842a8500da25a8d56252f721cbf5c214c3a8d0148c522e954d47409d6f3bcf65921b1cc74164462a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f1828201c8b17ea1beb520ef99e31bde

SHA1
dc5e494ae4f46b22c3e51c4a12cf2775ac1f8a79

SHA256
273a71a1deba48046bfa028f15e8fcfcaeb349b146d39082a7d138522aa47266

SHA512
75d58e26d928d0d7652d295386ea0347397290f090c65e2fd65fab87baf343030329851db99d2a126030ad82f03b1edf5dbbaad8e8af6dcff02e92e2ae22858c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
4283e1eed00909f57796309d88c9dc1b

SHA1
042b90164999a1cfe452ec864a421078f8fdcd8b

SHA256
a25708bb91ccf6ba4259d198420d42f086bf94086509f5e4a716aa7cc00a5a74

SHA512
9b821eeca8822905342be28c19a4f7cdec4df23636344285dea38fc7a593e5644cfb4d91c7829ef9ee9ee509ea264f44ac77a8912b3435e6bf3a65a56c99c62b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
cf87815c7d74a935fa956f0ecba03623

SHA1
1a04fd42b5a7a0dd335926327570ea172e628965

SHA256
16e960207bdd93617f2ab7463210d67af217f1860e6251e2168eee91744b526f

SHA512
2c068f2a02f2ae98676c4fa248ebe88aeea628dde2a3299dadd0d30464cb1a4fe8237a41252f531be3b92f2e464cbb090ba120bf9736963e39650a435e863fd6

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f41389f25b1c588dcc5cec04b6dfb3bc

SHA1
d40121111ecc94bacadee089d5e7ff9facda516f

SHA256
d5b52c299caef2cfde5e27767b572fd5af1631cac9c2c4eaaace1ee9142c517b

SHA512
a132edb2c0b528057b1abca8521e1e2ff0857f0fa5a98d28abc13c0b50b3e8fdc393c888c43c474e9b35d8ad8a3ba238ecd6c8e7b6a22d3f2066bd00c10282fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
bb393528f11ac9bfda16f0ebf1efd438

SHA1
f06c7681c6507976f88826a3344d501b1358d9b4

SHA256
540dd7bbbb69c2176fa768e60a26ce71716f3b4dc2560232b5b443efae8712d7

SHA512
a89fa832f4bbcc9a1cef76d07ae00889697848b4b2f8cafa4376b9f3fb72c261ea69c6e1ded418ba7266237293db721ae012a360ec13589196e32e412eecdea1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a0ae0e36ade66c66bb0ff967b8e9c65f

SHA1
2f6ddec89ed5056608d8c9039fbbde7dfcfcd108

SHA256
ed3ee627297e01fbd1df129d1831a67dd3a6ae8e428b2b2f24ec0cc230c29112

SHA512
a1e474184e5437514056dd8adf68bdcb5a7527c50fbbbde4f95d15441a0e9888c4b43efca1eeb557db90353df34a7169b872f6a56b2bc745cc4c593af7c4d93f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
a0ae0e36ade66c66bb0ff967b8e9c65f

SHA1
2f6ddec89ed5056608d8c9039fbbde7dfcfcd108

SHA256
ed3ee627297e01fbd1df129d1831a67dd3a6ae8e428b2b2f24ec0cc230c29112

SHA512
a1e474184e5437514056dd8adf68bdcb5a7527c50fbbbde4f95d15441a0e9888c4b43efca1eeb557db90353df34a7169b872f6a56b2bc745cc4c593af7c4d93f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
2ea4b3754843c0a209bfc9829c21ef99

SHA1
8a9d2cf1e87edbc235989a49713179fbece83ce2

SHA256
484a95f8a803651be7e737820b8a84a0f1ae5848d37feaf112762528f45b9047

SHA512
4ac10d35646344db059b3e47d4203924102c7b6432004edcc1df56aa4d6ab5f1fe6280be6933ada83047b36abab2b92b17df3cc08faa307a1c2898a8963105de

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
cbaa01e481a935a5e3b52aeb85353587

SHA1
6bba20c37f8d3a1373fabca93e9ee6a0da97e38b

SHA256
0eec79d2a227ed24c20902ca037d5050b307fec3a75a946ee59b8bb35228f10c

SHA512
37d107da701d7f86d736c9205de633790a183f5f0e627c503e0de43ce895195b672bfe68138ab7c786acf42aefd3707c09b12918083510bc7c3dc02bd6d0c831

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
065199ad0105e3d0c0bee47a04aed2c4

SHA1
a86a5e80ba3e07eddcf5a02d2bf09eb4df46044e

SHA256
58609cbe8f3e821d4f9095ea739615e553ff064ffb5d156ab9c8e6802378f4c3

SHA512
d776dffadbcbe3c784f89ed1f059530de3466e4946cbde4629fdc4d7879de09ff60362b5883740c48a6f522a55c015703285fb09b7bd41f9a17e1ecfbf385f09

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c6250c0ebefc1c3b02e9b58257250644

SHA1
3de51f13a675e417f62bc4894e9e91d8defbcc71

SHA256
129c73e79b786dae8720769db8aaf1f1a8d42975a01cfa7a450f592d3f3b4416

SHA512
e3819610b07ec37cd941c38c1e9d9aec22d444769cf009475b14d2bcc30580b8687b30212f6037e173e7719415e4a639bdcb8ded143dd534b016840eb3a234ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
3fbacc8dc5ca66fd1e1e82c827761619

SHA1
4d52c558320b889aec92d51b44801299051771d8

SHA256
0565f526659f3c5ea082f13fd59a17f61c998b92348c7519cf1a9d493f4a9f2a

SHA512
cdb8e81593bfc3dc883ebdf20da7207cc7cb1b6f54ee684070b0c50f299b494640574f340bf06b8ac0a794570257a778dfc5ae62aeff665ffa5ee6a76a5ec357

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
14a7c4c697e132ed23993163ff054533

SHA1
087ecd913c31d3618134f3c1e21761ee282ec9f6

SHA256
f8e1ed510dfc831ddbdc21dceab117617dc6579d8c8830408e0edd2a9248381c

SHA512
b7376c5b816c842a40568ab2ff0732146c37eb8083cca7ee7bd3dd0838488d6cdc330dd859047bd87777ed86b7b7d7c8ee1f49442c6ce9bb42265d366e96d007

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
595b7c501705312ff9fbd11910de5a23

SHA1
77836c30c834264fec323845ffa89417118c3680

SHA256
e30e9e522dc58cba44fbffe952548254cec38b54083d9b965d47659d4d02b2ef

SHA512
088cd097d783b6de05e8cbabddd44707f6d747ac1f45e43fd491af6fc0373590c98eee1bb994f97bfa9136288bbdfe61eb1babf979d0600402ccef07766d106c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
98c0a51afed9dcd76966f2adcbe981b9

SHA1
047ff21be691556747f4cccfe1a5d05280141f9e

SHA256
422445b056e6d11419d62c8dd9fa23b2ac6cbd0d4d0c3d0e35726b426f0988d6

SHA512
a61016fb2d4ed8cec5615976fc3a0d657c505e3b2ea28b8332bc2be85f3a08eccac22de56e214052276181b89f1c29d1a89527be37d0636e62a813c5bcbfc266

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
dc13640bf402b555981f730a58044a7b

SHA1
a543ccb6b6a299b2be0d49aa1498862cc783cde8

SHA256
2489b01cbac96ad7228c47034bbe65d8da91bffae754ce056c0c195afbbbef7b

SHA512
1447c6314ad9a1b2c90c6f4a41b21684c2805387509e0429f63949c8bf86ab781760ec3f46022fe9f09e39ac385d7899d52aa72971e1edf86f4cd1b188152155

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
a282f6bcb4562964f956fc52d6a50e50

SHA1
54678a483ac7982468397ef6ea2b334ec450e54d

SHA256
89674e587167c78e449fb9c333fa72af6f70fe25127bbc4b10dd4cd32bed0835

SHA512
c1bf9d29a086fcecd992c400c91fdeaa863d9536417910b864b31d10dfbca1d4da76bb237fcfba811125da1d4d0dee82e79d70763bb9cbf52a5cf52ae8dc8458

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1efc63bcbf9c4cc86581a681efb2d3c3

SHA1
4bfc9faf2ff383615e21b41788b6673958a6455d

SHA256
7d1a037818a8eecabbb0ec0074782a72edee9f11425c5af348d6d9ef7519c169

SHA512
2032a524118cb92900943b12da1fe27b5d5aae8a1ad750e193eec1a86eea0d0396c30af04c4c3566ae7fbe981277b44a7aeb0cf4f1ebb42014bb6000e28584df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.4MB

MD5
dfd33211f15316e342037f8b1c155808

SHA1
e1f98dea269e01a61f0133f5fe9fb32fc84a6f70

SHA256
c3242af5e405488c2bc775a48a893c5afeb7a2dc2ef1a1efee05346be6662a46

SHA512
eadd716a1f8cd985f7e51da01387e6dd560583abbffc33a0ef949335313c2903ecbbb9658dbeac5cec42350a2714bad843cc8d089910f7feee86f7d8de802a14

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.4MB

MD5
7bea14db6f50eedc9974154cd10d4bfb

SHA1
00048533b8b2b79ab2f49c201d5525d7b458e01f

SHA256
1a36b70332603a61da43199c26da3b87f1d9ce3278abdee9fb906b227aeaa3ba

SHA512
ea919fe27fc900acee20dae5d3d8c47568372c2d2248cfec68dbc025c0923b45bbc2c596c7e7ec6a6d7ff37a5c3c93ae64b74b61de25cb1b02b0432242d2e528

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.4MB

MD5
8cc281a36acae53fe404e1aab9d06688

SHA1
77ec7395ed6cc3c4d248dba11f7ddc0f92a86651

SHA256
48f692fcb41ded4f91010c67e77ead936de782653c7feec59171d7141f6950e3

SHA512
4750d853433cd2d3be1950d86433d13b2315b2ad8f133e4bcf35a0bc865b262303397e138612a23e2ba5c7ac23e0ac52d0b4ac73ead8c7635306d2ad7e8fa784

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.4MB

MD5
2505f7bc098585eda6ff19234136370e

SHA1
ab34fc8919c410b83618f2e768bcf5edecc13e29

SHA256
86a1a0d5b0aad64ca6b45ac815f4343d3e63d47d13f19ea099667cd8169c43b1

SHA512
02068c545a863d52bb3f8f02bd4067d8d0d34bd73f6f9ffb286c8b46d2c09a93f1007f728dac11805a6529d5765790ba79d5453327206201a49739f8d50f7da3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.5MB

MD5
5982fce84aa8316aedf292f1e66b79ba

SHA1
632a2b2d9ec6bf7d9836868f0ed79da7f5f27210

SHA256
4d86fb7dddf11453182794e6a656234a1a8c41671debddbe2fc1f263dba474a9

SHA512
e564a86793dea1b4ee3cd57d9bcebd8adcd7a2019345137494d9c2d959c4d2549e516ddaef055f5500c8b4b44b8b2c9bbc44ed0b61ddf905fef84f70d32b52ae

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.4MB

MD5
fd5dffa8e469e46f2c454bf310b97733

SHA1
5edd8e81a72b823372137b7016ab9127c7379bea

SHA256
fd47b22a574e4483762e9199d6a7e99d4de0167826702d31b896bb078459c3c4

SHA512
d7aad2c1737b4157fc9ccbb1ea67f314956de9b70f97bdcb399bb93f28db59141c3d0d29f39778804cdc3e3468fee040695e090be94b80497dad8ca00bb305f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
61dc638a4f339826e1a065314217ab77

SHA1
33cd3dcf564cfee3e003e27035bce4f60cfdce76

SHA256
c0d041d00bba75aee88a011581bdbcfb9f65c0cec4fb18d7413bd4a44eed50cb

SHA512
51e82578dc5a661eaef02885492942910afb0007c7539b4a3f57b6018ef3045185a2e1949d6c99173ea0c5426e7d17c0367cc00acc8254372c2e54630e94df88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
61dc638a4f339826e1a065314217ab77

SHA1
33cd3dcf564cfee3e003e27035bce4f60cfdce76

SHA256
c0d041d00bba75aee88a011581bdbcfb9f65c0cec4fb18d7413bd4a44eed50cb

SHA512
51e82578dc5a661eaef02885492942910afb0007c7539b4a3f57b6018ef3045185a2e1949d6c99173ea0c5426e7d17c0367cc00acc8254372c2e54630e94df88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
bd113a30a2e77762d79efa4992ecd177

SHA1
5d75cafdd6bb8d01298d19613f4a8f65c7a29e5a

SHA256
b2837894a733913d13044393085530474c0794fdc42dd5205518a8328c3b3075

SHA512
afa5cb388514ce50ceb38b21ea9f540373b2950eaa01791ed80a5c69504dc4c194f94be854ef56feb9ce28db73a111d47a3ce08b86b9bcade18b36316a02c21b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
fb268a90bec1a837b08a19833a1c48ea

SHA1
2f24cd2507c884050068ad211fcdf1df7ccc799b

SHA256
c13e8633f35d645391d5bbb54376c4e3cebfa8d298f585c1ded1e1177b5e065f

SHA512
1cc60eea1f22f956c44a610b72cf244400cb559135ec30ce8845a5ecd9fa973ae7d007bbb6dda68d86d914b88a08eef703c6b19b27aba550344566ffd10f2862

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c0e3449a0e0c778a84327643c5eb09e3

SHA1
27c2a915c95d28773c091e0e94f36210f7e11b62

SHA256
5e90cb1ccdb405a580ac40221241fc4f9a075866782a9becdf89aad6418d73a0

SHA512
f9afabe75f7296fddc9e163f9be4cfd837e73d6f28aa7279fb56c87593277ca2368d842b2c22e488104247647b520b45f26dde9ff93f9a516e585967c8c10a5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c0e3449a0e0c778a84327643c5eb09e3

SHA1
27c2a915c95d28773c091e0e94f36210f7e11b62

SHA256
5e90cb1ccdb405a580ac40221241fc4f9a075866782a9becdf89aad6418d73a0

SHA512
f9afabe75f7296fddc9e163f9be4cfd837e73d6f28aa7279fb56c87593277ca2368d842b2c22e488104247647b520b45f26dde9ff93f9a516e585967c8c10a5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c0e3449a0e0c778a84327643c5eb09e3

SHA1
27c2a915c95d28773c091e0e94f36210f7e11b62

SHA256
5e90cb1ccdb405a580ac40221241fc4f9a075866782a9becdf89aad6418d73a0

SHA512
f9afabe75f7296fddc9e163f9be4cfd837e73d6f28aa7279fb56c87593277ca2368d842b2c22e488104247647b520b45f26dde9ff93f9a516e585967c8c10a5b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
c0e3449a0e0c778a84327643c5eb09e3

SHA1
27c2a915c95d28773c091e0e94f36210f7e11b62

SHA256
5e90cb1ccdb405a580ac40221241fc4f9a075866782a9becdf89aad6418d73a0

SHA512
f9afabe75f7296fddc9e163f9be4cfd837e73d6f28aa7279fb56c87593277ca2368d842b2c22e488104247647b520b45f26dde9ff93f9a516e585967c8c10a5b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
9de1e4609f6c9423b156d34375ade58c

SHA1
1e2cbd54d130022adab3aa50fa9228c1f0583471

SHA256
f27f047efbc7852899a90c5f7d9fff12298f6db7b0ea369fca925d2586a18af9

SHA512
c3da96a0dd36de0a2748d4f5d9adcb3f9586d65f6a024f8c77ff1be2b670883b3e4f00c12bc7ff314e2bdeaffc64f69661f5e36681ca211b5797fd9340bbec43

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
9de1e4609f6c9423b156d34375ade58c

SHA1
1e2cbd54d130022adab3aa50fa9228c1f0583471

SHA256
f27f047efbc7852899a90c5f7d9fff12298f6db7b0ea369fca925d2586a18af9

SHA512
c3da96a0dd36de0a2748d4f5d9adcb3f9586d65f6a024f8c77ff1be2b670883b3e4f00c12bc7ff314e2bdeaffc64f69661f5e36681ca211b5797fd9340bbec43

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
01f96da6651da707c01451028e26bd64

SHA1
d3aa6aa9dd9f42c009348ecd3c421fea531b109e

SHA256
0bc4694ad155d11d0eb1bc788afcedd71f6e3e08c86d123423e0f993d2b49375

SHA512
1511614cce8a966b9e0cf509598c570f2ad03eebe9fdfa2f5c2f77df9fb13d98d18d5cf0988de4eea7421a26531253d29ca1662dec8d34bfda2524f8eae5e00d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
bb18467486176e9904ad2d12125de92d

SHA1
b56fb1c03c7793f0bf809c6c4619a590dd714e24

SHA256
e18e908c0a740b2b34a9183e2a02d86586ca3b7faa008c8e4a09f31473897346

SHA512
aeda66f35e8aec70d1d4eb33aae8755c64e367d40cf52c9de06174049f7e123b31bc46b48321d3987dfa788f939f276c98e671b987683ccc51fc9a2ee7ec61e4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
4e7ec5d4c18ab12e56c9207b75f760bd

SHA1
4ada16b298563ebed7ea86d4a7787332f3ab0d30

SHA256
95315995a289ecdf07caac5c975598fa20990923aa369441fd6bfb12f862e6b7

SHA512
5bd99f175038bc7c562e5e8045f9d2cffb6d1341e8139a48be2ebba107fe7b1a7c8d4fd7965927389246f2f41d00e53e3256680cb74511c585e969f5ae8001c3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
61dc638a4f339826e1a065314217ab77

SHA1
33cd3dcf564cfee3e003e27035bce4f60cfdce76

SHA256
c0d041d00bba75aee88a011581bdbcfb9f65c0cec4fb18d7413bd4a44eed50cb

SHA512
51e82578dc5a661eaef02885492942910afb0007c7539b4a3f57b6018ef3045185a2e1949d6c99173ea0c5426e7d17c0367cc00acc8254372c2e54630e94df88

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
fb268a90bec1a837b08a19833a1c48ea

SHA1
2f24cd2507c884050068ad211fcdf1df7ccc799b

SHA256
c13e8633f35d645391d5bbb54376c4e3cebfa8d298f585c1ded1e1177b5e065f

SHA512
1cc60eea1f22f956c44a610b72cf244400cb559135ec30ce8845a5ecd9fa973ae7d007bbb6dda68d86d914b88a08eef703c6b19b27aba550344566ffd10f2862

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
4e7ec5d4c18ab12e56c9207b75f760bd

SHA1
4ada16b298563ebed7ea86d4a7787332f3ab0d30

SHA256
95315995a289ecdf07caac5c975598fa20990923aa369441fd6bfb12f862e6b7

SHA512
5bd99f175038bc7c562e5e8045f9d2cffb6d1341e8139a48be2ebba107fe7b1a7c8d4fd7965927389246f2f41d00e53e3256680cb74511c585e969f5ae8001c3

Download Submit
memory/324-123-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/324-124-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/324-130-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/324-267-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/544-216-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/604-249-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/604-246-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/604-262-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/604-258-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/604-254-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/792-388-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/792-390-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/792-308-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/792-364-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/792-314-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1188-495-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1188-487-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-481-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1188-496-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1300-498-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1300-501-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1300-516-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1300-517-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1300-515-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1756-406-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-427-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-381-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1756-386-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1756-428-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1792-223-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1792-222-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1792-229-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1792-286-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1800-113-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1800-136-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/1980-474-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1980-486-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-426-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-425-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/2068-533-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-549-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-546-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2068-521-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2068-544-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2196-235-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2196-241-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2196-240-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2196-306-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2344-414-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2344-261-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2440-1-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2440-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2440-7-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2440-215-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2604-31-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2604-60-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2604-32-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2604-230-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2764-543-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2848-95-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2848-244-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2932-98-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2932-104-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2932-213-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2932-99-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2988-475-0x0000000073E98000-0x0000000073EAD000-memory.dmp

Filesize
84KB

Download
memory/2988-268-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2988-270-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2988-276-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2988-283-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2988-309-0x0000000073E98000-0x0000000073EAD000-memory.dmp

Filesize
84KB

Download
memory/2988-424-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2992-518-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-528-0x00000000726A0000-0x0000000072D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-529-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2992-514-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download