dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62

Analysis

max time kernel
153s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
Size

1.8MB
MD5

ebd7d072318af9035f9ccb02207b278a
SHA1

d67f26f5cfd946ba573d6f5251f7846b595b2fd0
SHA256

dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62
SHA512

6a976b02f7bb552dacc874380e50b60d222c85e260d20c8f768f26b6669e90ddaafd18a930dc8fdcbed534814fe7b1ae5470b15abd54c03fc992ea2b2707ab68
SSDEEP

49152:5x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+/snji6attJM:5vbjVkjjCAzJnEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
468	Process not Found
2796	alg.exe
1648	aspnet_state.exe
1668	mscorsvw.exe
2180	mscorsvw.exe
2280	elevation_service.exe
332	GROOVE.EXE
1888	maintenanceservice.exe
1936	OSE.EXE
896	OSPPSVC.EXE
880	mscorsvw.exe
2804	mscorsvw.exe
2360	mscorsvw.exe
528	mscorsvw.exe
1728	mscorsvw.exe
1828	mscorsvw.exe
1452	mscorsvw.exe
2120	mscorsvw.exe
2824	mscorsvw.exe
2856	mscorsvw.exe
2780	mscorsvw.exe
3064	mscorsvw.exe
2020	mscorsvw.exe
268	mscorsvw.exe
2408	mscorsvw.exe
1396	mscorsvw.exe
688	mscorsvw.exe
3000	mscorsvw.exe
2240	mscorsvw.exe
2588	mscorsvw.exe
2752	mscorsvw.exe
1576	mscorsvw.exe
632	mscorsvw.exe
1524	mscorsvw.exe
2568	mscorsvw.exe
2724	mscorsvw.exe
2644	mscorsvw.exe
2628	mscorsvw.exe
1080	mscorsvw.exe
1464	mscorsvw.exe
2568	mscorsvw.exe
2528	mscorsvw.exe
2372	mscorsvw.exe
688	mscorsvw.exe
2928	mscorsvw.exe
1744	mscorsvw.exe
1928	mscorsvw.exe
1152	mscorsvw.exe
2800	mscorsvw.exe
1704	mscorsvw.exe
1092	mscorsvw.exe
2392	mscorsvw.exe
2208	mscorsvw.exe
552	mscorsvw.exe
1572	mscorsvw.exe
3040	mscorsvw.exe
816	mscorsvw.exe
2184	mscorsvw.exe
868	mscorsvw.exe
2444	mscorsvw.exe
3000	mscorsvw.exe
2660	mscorsvw.exe
1340	mscorsvw.exe
1644	mscorsvw.exe

Loads dropped DLL 31 IoCs

pid	Process
468	Process not Found
1464	mscorsvw.exe
1464	mscorsvw.exe
2528	mscorsvw.exe
2528	mscorsvw.exe
688	mscorsvw.exe
688	mscorsvw.exe
1744	mscorsvw.exe
1744	mscorsvw.exe
1152	mscorsvw.exe
1152	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
2392	mscorsvw.exe
2392	mscorsvw.exe
552	mscorsvw.exe
552	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2184	mscorsvw.exe
2184	mscorsvw.exe
2444	mscorsvw.exe
2444	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
1464	mscorsvw.exe
1464	mscorsvw.exe
468	Process not Found
468	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc6490a2c0d5d3a4.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_ja.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_sv.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_pt-BR.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_sk.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_ur.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_kn.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_pl.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_it.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdate.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\GoogleUpdateBroker.exe	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5EA4.tmp\goopdateres_te.dll	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9C5F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6345.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP89F7.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4386.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3247.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9109.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7771.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2200	dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeDebugPrivilege	2796	alg.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeDebugPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	1668	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe
Token: SeShutdownPrivilege	2180	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 880	2180	mscorsvw.exe	37
PID 2180 wrote to memory of 880	2180	mscorsvw.exe	37
PID 2180 wrote to memory of 880	2180	mscorsvw.exe	37
PID 2180 wrote to memory of 2804	2180	mscorsvw.exe	38
PID 2180 wrote to memory of 2804	2180	mscorsvw.exe	38
PID 2180 wrote to memory of 2804	2180	mscorsvw.exe	38
PID 1668 wrote to memory of 2360	1668	mscorsvw.exe	39
PID 1668 wrote to memory of 2360	1668	mscorsvw.exe	39
PID 1668 wrote to memory of 2360	1668	mscorsvw.exe	39
PID 1668 wrote to memory of 2360	1668	mscorsvw.exe	39
PID 1668 wrote to memory of 528	1668	mscorsvw.exe	40
PID 1668 wrote to memory of 528	1668	mscorsvw.exe	40
PID 1668 wrote to memory of 528	1668	mscorsvw.exe	40
PID 1668 wrote to memory of 528	1668	mscorsvw.exe	40
PID 1668 wrote to memory of 1728	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1728	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1728	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1728	1668	mscorsvw.exe	41
PID 1668 wrote to memory of 1828	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 1828	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 1828	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 1828	1668	mscorsvw.exe	42
PID 1668 wrote to memory of 1452	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1452	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1452	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 1452	1668	mscorsvw.exe	43
PID 1668 wrote to memory of 2120	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2120	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2120	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2120	1668	mscorsvw.exe	44
PID 1668 wrote to memory of 2824	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2824	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2824	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2824	1668	mscorsvw.exe	45
PID 1668 wrote to memory of 2856	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2856	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2856	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2856	1668	mscorsvw.exe	46
PID 1668 wrote to memory of 2780	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 2780	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 2780	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 2780	1668	mscorsvw.exe	47
PID 1668 wrote to memory of 3064	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 3064	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 3064	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 3064	1668	mscorsvw.exe	48
PID 1668 wrote to memory of 2020	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2020	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2020	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 2020	1668	mscorsvw.exe	49
PID 1668 wrote to memory of 268	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 268	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 268	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 268	1668	mscorsvw.exe	50
PID 1668 wrote to memory of 2408	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 2408	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 2408	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 2408	1668	mscorsvw.exe	51
PID 1668 wrote to memory of 1396	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 1396	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 1396	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 1396	1668	mscorsvw.exe	52
PID 1668 wrote to memory of 688	1668	mscorsvw.exe	53
PID 1668 wrote to memory of 688	1668	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe
"C:\Users\Admin\AppData\Local\Temp\dc45fede40b6bb7437156464fa3fe17caec6b2c2612c6ac357c04ac3cecdbd62.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f0 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 254 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 25c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 288 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 244 -NGENProcess 298 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 280 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 2ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 294 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1e4 -NGENProcess 1ec -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1b4 -NGENProcess 154 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 204 -NGENProcess 1dc -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 204 -NGENProcess 208 -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1cc -NGENProcess 20c -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1b4 -NGENProcess 210 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 210 -NGENProcess 1dc -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1cc -NGENProcess 21c -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1b4 -NGENProcess 220 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1dc -NGENProcess 224 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 21c -NGENProcess 228 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 220 -NGENProcess 22c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 224 -NGENProcess 230 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 228 -NGENProcess 234 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 22c -NGENProcess 238 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 230 -NGENProcess 23c -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 234 -NGENProcess 240 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 238 -NGENProcess 244 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 23c -NGENProcess 248 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 240 -NGENProcess 24c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 160 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 230 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 230 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 23c -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 234 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 234 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 228 -NGENProcess 234 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 264 -NGENProcess 26c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 234 -NGENProcess 270 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 234 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2280

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1888

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Drops file in Windows directory
PID:1584

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Drops file in Windows directory
PID:692

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
210KB

MD5
c01958c27ccc1394de7bbdba2a4d39cb

SHA1
6d1a5f7bcad2b3d56a43280d87997361d58054eb

SHA256
87f1c04db7d9ed31418a907754e90e5308d0a107e6f663d594b468c9126587d1

SHA512
9a06309d08db0990521f3fcea9262d08101a00444a849e62b4209cff9f847929014f0b8282de46ae4f5f2521fcc1de5b2687743adf6cd822a39f8ca46af0eed8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
310KB

MD5
fb779ff8c4f8c7e570b3ecf837a7b69a

SHA1
9dd2b3571d49e0c1d40c8ea6f35bede890e8ce6e

SHA256
5e9da62e29d57d0474e13c33a9e9f040443efa49b2196225ba5136df2499bd41

SHA512
8cc9fee849322ab9f5ff8e11b634a67fce1bb71e8b34d735a8405f1bef06511d281709ae6af85d57ddf30ad712bea9d45c59ec46fe109f6e06c21e86bfa67ad5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
359KB

MD5
4448f7c0ce5404ea349639c28e24e630

SHA1
92ae3d8a569321a7abd6d7c425aac04c18f7c19a

SHA256
d3a0cda178d556d7d2f667c05f9eb6d2c816869651992cf95e9356e17dcd1d8c

SHA512
9ad848c73e413faaba30cad0d91bd149aabdda334c575e09df4a95728be77d28e006b61a06b3f0e52caaf937f8d1f7d6f618f8815bc3e0ded50c468f85325196

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
459KB

MD5
6aa99244bc34f628721ff29c4fc06cbf

SHA1
7a9fedc58b37df5845dd163b0e1808840af6b84b

SHA256
fa4dd2303a89f685096cdd2838d117a2dea01e70d2a6ecbbe51bbc82d09e20e6

SHA512
289f89502fa359dafd5638e24c09ece483281b2d7cb0a48c4b12a5c5bcfcc220554411bb86b8b94604dd6c69043e4e2f8b31aaf664eda2cbce8983b25b40efaa

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1017KB

MD5
3c7994f2d7bc4a7cd21c332e3323a356

SHA1
899ca6c9e0cdfdee356ebf44d94dbcf9319ca78a

SHA256
f82c443e23e21a8bf45dde8bd2be4ba7687a61e9457ca579606df1577bbc84d3

SHA512
16e4b2c5a9479e1dfc0293409513242d4dc549ebfb671224581cdb43c2409d6caaac5ef422248a7edb7af01711952caa3be06b1c9a546acbedec58d1864e20d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
1.5MB

MD5
04a69f25dd3c0d0ab5b589e1d2c19103

SHA1
6636d5ca8785dd799dedf32b2a48c29f7de4750c

SHA256
9ea7629513154dd9e6fda24dbafe46eb0c13774b04d6a75db7be67e9ec572ac9

SHA512
6dddafdfda3fe92e8a254a4c363482b216b94a8dbc096785fcc1d5c91c12b72ac49bae99e71c33236bdbaa345dcef81a5822a8b6151c05b9be714d9092abf90e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
697KB

MD5
ca0c4f45dc2a3af83bf047e6108c627b

SHA1
53496c6cc2dc4688db4125beda73ba808877f2e7

SHA256
931b1c594b3105a18f54d9a9cd1c97c0aa70a9dc911223d0dd1f1128d51a17fa

SHA512
b1c14968eef377d9439fae759d864589bcca61c0b451a04b376a9cbebbffc2a368c3eb73f2266de135a4b12b35bd48191d53b07c8345c90c3ba60f6096519559

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
358KB

MD5
ab7e94ef43a772885c474d156d44143c

SHA1
df7f21685273b987fec7b03aa488516e16db9a73

SHA256
fdcc607e8e9ec590df1fbb2a7ebb32a6e4d87fe63cdec86db1fe97c6086b79a0

SHA512
bed015f5fd080ab700cf789c05e0d4cc30b1d76cee2c3399cf12e09f4e6b06f9476c82b987da668a656ae4c1a7ed672da16d68e75b0b3d7d17042aa1bd97d471

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
45KB

MD5
c8ccadc7565df6c057a6a41afe05d68d

SHA1
81d5147024c1c8cce454dc5062a6dec7c79711d6

SHA256
47b19af7320620d7e3e6e85b20a9f28e76b26dd55706a8783705e03c5d2c55d7

SHA512
49855449b63fb0971d6012355fbeb8280440ed3e26f9c2e6caa7d8795089f03ab757f2d13afbfd870a4f2e6038c0ea9495f678879b0ad63573b153e4a810690f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
403KB

MD5
6c1064f0e2533155d48ec16f0df8e3e0

SHA1
f08196d3fe998772863710354825d26230158c06

SHA256
a429cc4bd985161b4efb37ec604a694125cfe7fad450debe56397a368e2527e8

SHA512
18c91b4376d07c8fea175e704af70aa4a5a3de556a4a600adeb7d20aa37ce7fe1b4e1982b870002dc92b999f6d112c4e5cc36dd03c49c116196894de666a154d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
344KB

MD5
0d68c68af463cd87b30bc283e7ad29f8

SHA1
0504bc1bd4f8d16bb91a44567d32fcad5e85cc8c

SHA256
afc23201807026a47909069a7ba164025004250980aaa942ba3a2bde2ceab184

SHA512
d8fec3bd9b2fbbadef095f69eeb86db0bb74f60cd31109398da6eb74d4cdc11dc5402f6335b3384cb0f1f6da852e41d55e0a51dc86167fea5295a0ff13bdd918

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
168KB

MD5
5560040a66fdc143d5e117d3092c2a3d

SHA1
55c230d479be0146c8d9c01aa67c8b4dfa70adf5

SHA256
0e7aee199f8befdc677ebe1b58e256e9b7de1e8ed86e41f8e5800f5a0db8fb97

SHA512
8a60e9bb8d911d675a99347f557fc13ed7455e271fc3d6dc446f9e686c3ba2fc5f71def8f1ba9e5bf10eb72f511075c9c4e0c0baad281029c5d87c7a4d978d71

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
185KB

MD5
e6073ce563043de66dff4ec0a19e32ab

SHA1
b8ab69a5b9d7600f69f6a85d4ed6c71a0bd81c22

SHA256
51792f9f2a13b7f6db57995bb7b844304c708a469bed12dbd03c39884177f48c

SHA512
af68cbf369b3947675dd2f282d27174bd2f1a7f3adbdbc970ba878cce76d0325598bda3bea324e261c87c1cdc9770c2326548b6b9b2b7d98d074c980b9e1b8e9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
251KB

MD5
0384ba7054db138a2cc9069e53a8f227

SHA1
dafa401a11d22fde6a61c4986191339aee50d46f

SHA256
0f2cf5773eaf5c81f0ea9cfe783ad124ff3ce182aafc22d23ec64e3b2270c429

SHA512
5a048534b19e55c256acbbebbc459e49e7351491a4a5b682e1e8ae00a0c3226d890db13134b96f42f89da192fd1b238b70a272a5086f5f4526c74e4cd22ea75f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
141KB

MD5
a7a6c0f18e62d6669fbd149a4a713c8d

SHA1
9bbc4495df25d829d46e9ca47afca4d70a260491

SHA256
6628589d0ec45cabfd2e488031a5afd0e41eb5cb9037456a61add46392525440

SHA512
1ba10ec09e2789a6bb35b89f1140fd68d6e1014d4847d939cd75555945d3e01ce329f7455b38b5ac589f1ec5abf4c39730605e16a58b083a6241202aa16a649a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
276KB

MD5
02dc838406e6f8d8e587ac480466e4d0

SHA1
cd7fc69c96d9ff5682ae17dc7d76d77d5f46d20a

SHA256
513621a27469d2202356a89add7aa588e9f4aa932872ba7b6c4acef61a2cca58

SHA512
dad6adadeb5dcd5030c50c018b201bf19b21be379cfb3ccaab7ae800ee10c9466769b4ba921c147728f9131e84adaaee75adbabb66ac3a46798f50a6bc348345

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
804KB

MD5
a291c0c773176e19f200cc851d9177e2

SHA1
91cb5938065a4a2bb4d95bc66ae06ef500f1594c

SHA256
d0c8ff6034a3aab842398bae0e63f8b07d939895774e624b56b9728808e0d097

SHA512
7783dee86c310893514af3d91db87ce01e11182d144493d8828d2f2e4004c55f3d0622f791e029148e4ad7dc1160b14e37193aa477ddbdbe2700e177a7140250

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
196KB

MD5
a0df03fb5ee10f9cf661a412991d609a

SHA1
b8fc94dbfba3c96f6569fe3819fdd184fd387c65

SHA256
a249558ea5e6a0630a2e6e61b0aa0b4177ae06c547394d2fd165287ae824375d

SHA512
05dfba4da283ba72873923b10207da5816265234b8b8aebfdc9fe5c1bb5f378941d01591c6a8fedcc8bb1b0e96ccc74b592c0f6f0a21325770c819d368e1e9ae

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
136KB

MD5
1e35db0fe6de269a14e8dead6c2f804e

SHA1
3d3f72eef653fe583827c368f8f51aa9587a4633

SHA256
a10623114cb0cea4d9ddb41803d7de717191d39d882867388334b7bff7a6c59e

SHA512
d61d747dd200040b8a5802c1c3f4481c22f46b7246d8e29c0c4ba972280c39ebdb3b2a939082feca8536a4acc4da99f92142722f70f3569876cb383e4bb2cab6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
157KB

MD5
4f54ce0e2ce588d5ec86ceb558ef39da

SHA1
8963982fc33c1beef8a3aacf9938df27463e1953

SHA256
4b8aca9bca11e2b07a167c851859efe4e92bccb2b76989ae11768ce2a99cd619

SHA512
85e193ee268d9f8626488c8d6c2d505014241c7c8ea5d92df286bff2c7e58e079bb0132db0d096e703a89ff76dd8da27826a488c06f54f8fa35e0c985d4ff8f1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
279KB

MD5
d238443a0111237ff32afc87ebb7ea59

SHA1
2ea0d5ae33a5c74982999ba40cb8e2744ddcd64b

SHA256
1fc045c4e4e382711b05045c43e8622fa0bfc8ebbafebbdfba615a8b845cf1e0

SHA512
fa3cc42f530f9046d18d4fbd4b1e8a5fd8c2aabb1d959a6edde26eca8e484868411632269b0a7812e64a239bdc17d8d785d4c3edb658e15e7b466d26de572a8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
153KB

MD5
ded8145e7b2279a91c4aba6379618692

SHA1
d34f7ba729af4479c875bc0ccc1fa0d996877a85

SHA256
a942e535a14a51ddc3e36afbac53cfca94782db4e78141bc28e88666a9b1e1be

SHA512
85f760aa4d789355d7e322beddaa5625788e287eb7075765cc6c47d1d253c6410a093b464da9f44c7e3e91a8f9ca2ddc54eccd662236012f57211002a8445097

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
128KB

MD5
8fb9950e81340b35228a3a26e5a4faef

SHA1
e00a87687ee02d93a5be69a2b551838c77a2af23

SHA256
836a9eaab819060c9bae703875f4d4dc8e8ff589af9c5611ef4fbf44c58a8804

SHA512
a28261929a3aeab87acd874c5668f0dd82caf69ef5783c107867d2a8e0e0067700fa7cb3fa66ce0f6d54d9f7efaba39abd9b24b69b8ee433c6e48734acd8838c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
227KB

MD5
b019f7ccb6a49fd701fa06fe40035243

SHA1
2ee88f6c4c449960263d23dbefafc3d837ac6cef

SHA256
07b06004b192e0bce9d6f07d3feceb6c87765baf6d2c92f8d1f7c9761f6ef3e1

SHA512
fbb036997beafb7df893196c31f2a8869409219561701088905ba90f8ec370276dd75def6e505befe8f55b14a86f5f4cee79b550456d9e4e2ae3bc264c328dec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
76KB

MD5
66eb41f1c363446d01921177930bd97b

SHA1
f37a460271717103c0845105b4d438841d2b5d6d

SHA256
3b8854b524ceb0f070908ed9d14dcf776cc0f66eca7d86d5c58a9e2581d2a48b

SHA512
8d8cfcc5008980aefaa0fc854dc7c1e1b51967ee462a949a76628057ec9a99c2a42f53e74c9edc7b0c0e5fb94d1bb57ec12f6657469a24243b08192c86efcd0f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
35KB

MD5
3c2435fd2e928aeb3b1adf2e224f7eff

SHA1
c849430beee585843982cb78f91104c721afd83b

SHA256
db15e241629f3ae5520b2688fd49e3009a38386f3e67f17ac3fde6b5c12dd325

SHA512
76bfe19220c08a655837d6c530f9bbb8673350c62f9f76971dac09f4d3c60d5045ec5aa3d44db2ef377c6bc880c979d640d861f79d60855bbb870701789445f2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
206KB

MD5
cdd57fb5b16d11af1d2c50ca6ff80de1

SHA1
0234ad7a477a02d6cc19de25f2d2e6c24e966b6a

SHA256
93a84e730f7cc033e8373a97e128ad5e97fcb7018edab0d74a97fa6cbcb73cbf

SHA512
c5662decc5495d5744eaac7b16f7f22f349eaedbf293ca85eacfb8dbdf93e119aec1ce51d410b958e065b799276eb6ee474b1566afdfadf3afd2754176e8e432

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
378KB

MD5
4ebe0eabce98737b3188946c7aa8e5fb

SHA1
8f1825b36abe02d1cbe9a0a811fe556e69005540

SHA256
c808df196961685b2be7d241ae75e7f0a75f3e1e9ea907e860e9253b30767b46

SHA512
521ae798a2b7c39540308e9f3b5eeac9cbd655a6428b9b86d391da68ce3daac2a6ead5a14475c4b5bbaaddf14229d88f110cb161e0da783096f187e390079631

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
116KB

MD5
8e87428ea59e8d0b7c12fe731b1d150d

SHA1
822d97f9169db34148d6d037eca6eed97b5f546f

SHA256
78887d7557726b9fa1d918f919443d4d08635d11ce8557384ce99a59c45bbe6c

SHA512
492c799eedbded3e1fbe491adb835c0eb46f1975ac8bc2bac09775346758c97a35ceac494f8fdc3e8e1626f0e73c1b20b965ca85f8de4d7e23fa71b8e42543df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
264KB

MD5
0cab9175998186aa04bcb82c65e0eb19

SHA1
605b18eccbc0f5419958beeb79f5a58f36058053

SHA256
817000b7aae5048866d8599e9de1e60a604f7b052028a0af42a071745b3e3217

SHA512
b383e81cb8cd4495f7597a3e9a419e10d55c1f4adc235600ce3d31d18c1c3acf58187716effcaa60f05b64cb4b903517d7a643cfb566b20f143c8052d68a2891

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
281KB

MD5
7e6a2eec2a9ebc365fb4f1e731396ee0

SHA1
2537dc377910d626cf2690c5d0e9c6b0ca0d450d

SHA256
5c6810c1d3cdc30cba7aa3429cca4cef5f65ef684c8a449e03c6fd5c0dcd9042

SHA512
09c2f63ac10ff3a3d7e9790d7648f0c93806ef866994b0ccf5d0ca842c4d706061497068591732152b444a7918e9eba4b4d246ebd02f0ba97250b348300e7808

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
237KB

MD5
2add63943484edef5dba1bb3b4dc18d7

SHA1
8d9b4710f4904e0eb55374d11e605043af3f0255

SHA256
25e6872f0d056e2d1b81127c883e7761d11605d1507ff45c5c582d5df8ddf3b3

SHA512
c400ce9630dbe763ef43e2befa9053a6d3768d62fa42d3435b979582dac3ecc90006061fb95d943d1c0455fbec410875a04f7fb0e207a6dce9405b7c221e6630

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
603KB

MD5
15e89cacc1135552b9c04d68e896880c

SHA1
0277020c55607bba740fc196698623f3deeef432

SHA256
14eb39c08a5e8acfec70e3f1a549f8b8c96f6253fe9bcdcf76ef7e70f6eb48fc

SHA512
1c385c894275721a0821dceb70797b13314a9d9a7e171e2abc21ef2eb6349438ae1596b04154f7ef07f6aef995b176102f3e4575a5a6df08633efc17ed07a787

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
441fce0ce09591efef92ebda811c1935

SHA1
a661f6735f4686d62fa585379ca534bdd2ef135b

SHA256
08a6331800530774161ce998708fa06a9e7e6221b736c76614ad1af5ed58a107

SHA512
bcbef2a13b8667618e3a1a07ac90530b687492755ffe023b53b52b53aeee02fcfe5affcb8a0138ba55a2b91785d69a5f244cb8e5e4fcd66c9487327ec9e0fdac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
133KB

MD5
ea87b20a15b63c0a85d33a378a84f033

SHA1
aae0fbb324b258442f0af7bcd947b8b8842d3c08

SHA256
7ab8a2a9cd016c76f995d7cd1cae1b446076d63fa078432c772903a03fba888c

SHA512
782bc94e44e02b485f8cfa54f566d90c7b169d4809ba82eadebc6f6cccd05bb22c328d2b2a12c8dd8effcc6d6e6c09f9fc3142fa735f6e25c1230bf54193f4dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
437KB

MD5
4bdbe9d96b42ea7f8e5d08c26a186925

SHA1
00eae611e1b32a8247c6537216db16fb5cbdbdb6

SHA256
b5126cde04c9f5fbc37e0b776245e19c59814819b96faef550d8c07e5ea0fafa

SHA512
4c0052f985234ed76b266a1c2c70b185850b724ee846d741a25045a89f9b539bb6734c95493065489870a1a5af7b4c96e425eaaf29d0b7ee799762facb91f048

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
0b87ebe072df26cf7b7533255fc56076

SHA1
cb9ddf8aab87420b88ee7cb571ad6a7974cd5b5b

SHA256
f29d9063880aeb42471f582cd2f9977ec33bff9ee81a1e8eb96bb265c3686da2

SHA512
f41650b45761546c1be1550dac22efc5a768453661fce9e78402fb72a075069d1b25b5591d29b3d56acca6d14e748162b9ae7111163f98dde2478c69d52ce204

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
dc4eedcd3de9da3e148b60754646f16d

SHA1
19eeefb58b3e293067b3ab518bcafcaa2e31ccb2

SHA256
a2532940562b3f9813dbfc74aac6906bc140f0410efd039d0a1d1d83f8e81848

SHA512
10461fdacd41beec74785f8a6dfe80e76d939d475d11b5be7b5324f637978ec51f197ccb96869a2afc4ef3232a175c2b15fd54cc72962793b638dade6d9ee9a3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
05df345f03095ace31de1f368239d152

SHA1
4c670db2e5ae5da83dd94cd095482320c7914a10

SHA256
02bd04afab7c41f045fb431f0bbed563c8582ce160c768c5943bbd5efd8608dd

SHA512
d7ebde6ef67cc51dcc0fbda3a827fe87a922d804bd8b77db35ead8a84231b753c04bcd3736e85435a55f248240870814d7939a7c33ca929cc399a6e6d4ba7c35

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
640KB

MD5
2cd98120892b9a746f89e91a8b8cd9b1

SHA1
a644203a0c0937e7b6372fe4b38ba5537ded0052

SHA256
2c17a588ed48a656169479980fc47bf54724a7f9f1be5c8bc50315f4ca250c1b

SHA512
fb1752f116ea6f7f07f9bad12fca526519e9a40f0f41048517f1e44aa63b728c04dd11aa46b50feb9732fa9a9421f9f5a1030cbc099971373c4a0c129957e880

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
187KB

MD5
9245f1cd57f5beb9a0890f002d1fd07e

SHA1
dc37ef2cae7519f093005f3777fa78cee05328dd

SHA256
d52c985ac08329210f0e7228c4c8893c72ef2ef42a3d25ade3e31034119fcb3f

SHA512
3fad165574d1f393e57b1996b447056287322203f8bc89eaa54d155d8512fb0ce7a0bff7d862ef2b2bcc10173a704bf034e0ed183300575208db9ba039dc1b8b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
213KB

MD5
e47d914c5141799b8a8ac585a0e2edf4

SHA1
ae666a59a31a003d0a223c9f1c0cd09c0226e6ff

SHA256
7df9c7aa769a59610d96413f61a957ecd8cf9e0aef26273bfa134eb51b4cb7b7

SHA512
4adef6c5a2f7eefaf9b9313f7d0046146cc8550688dd25ad0d740cc687bf776071db65355801977a7b769748e136e652d37d01e1c40b56f5819e2d421224b419

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
143KB

MD5
abc0cb5bf140d367d0b6271a28b7f710

SHA1
83a1af023c1c3d80a91b20363b6ef1fea14430c2

SHA256
a91089dc4b3f91c03a7eb276318fcb7e41950947d474fcb15232300723066e3d

SHA512
bfddab50800a2737177628703215160563c80882568e6b28d686f8924bebaec93701e2cbf3bde9fe1ad1cf52edc23bdd3ad7522040d7215de7d1c087ecc4a042

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
138KB

MD5
5e9a155ad61a4c46bf9b82ff2bb85859

SHA1
85b8c07d626651e7de9d2b9fbf74c3652d73564e

SHA256
1b51543f9cc5553412d2c090bc1be399235a55efbb939bd80dbc9048f1bd1d1b

SHA512
6a0fccf79a2bfd2ff6b4901482a9306103cc21579908e16516c8baaeaf192bbe9a30460b0bcfec1dd0e67ce0407eea1a31c3e4b7c303b6e14292d9ed7fb8887a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
142KB

MD5
cabf367e6de1e04c4c545bc0076f297e

SHA1
bf2b0a6dd5dcfa01da7d6eb4d488b05d885261a6

SHA256
8d90efd62f6e0847f8894c837f54ffe695f74cdf2b9ae1ad06ea0bd79e097bff

SHA512
b93ec207e1aaa7713d943e98405fd3275c2c6d87a3888c2d095c95f29f8e3266c3d6bcd3c20518319a93b727d3b0b021aa5e556f3358dd4068f20c19a9fa55c2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
13KB

MD5
f3831c4e03c648a1ac81b8d556a00743

SHA1
3a61f5a899e79b82670a15f71e74340689510ddd

SHA256
0e9f1e59c788d450a86a078cdf17b75211b708ec317ea38257c2334a40cd4822

SHA512
b1dc9995c2590d6d6e64f2a83e2fe75e881f415637b0ea6b9c24466518ea25e2705b7d44f065cc7675a30db9129f49b55207f6cc4679625eebaa0028b5b4d6bb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
111KB

MD5
d28a928f3766ac858ba863ff9a31a87c

SHA1
e7d3bbfedf7db6336455dc3fb2d95f71f069f210

SHA256
2214632f7ed19b2430f2e9ea0df08b8b8706b1fc37e2e5df9a78b5f5a9a786e6

SHA512
acfe4ce01496528af47441a2117e4d8ffeb116105a3259dfeb69fb499fdef88a6e6b3d448740cbb805b613c6f3478bac49bf3d33e334d316e15c9fe05976ac5e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
136KB

MD5
40f1df8f9987055e5865410bb5f44f9a

SHA1
8e9e68bc5981158793bc8dc9d5aad3aa62c58368

SHA256
ae7302c03dca9f45815e16ab188956a30b7ade1a637a5d00bfe1952ff53736e8

SHA512
9fd1403b5b9be1215cf066563e9ea3c7fc7723adad9cce46dd0b90b5a87fb7821c4453b50a4242fd4c055c00b646f617d246c85acd21147366ac08821e34834f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
107KB

MD5
dc8d73570d215a0b4424ee8d2c73b0ab

SHA1
adbf55c61ba39791f3948a3b37a40b3cc1f5d9df

SHA256
a0108c9c4c31efcf0424de1e704eb774954ea1d3294b754fbc160e834ab42ea4

SHA512
a570de149bc110f95921e40207563f6d9dfac81f37e07144226a6ab03756c6597fa562a64dd6e3c96d3f09b1f922375d7ef716dc5ec392375ea4b84eee8ff95f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
207KB

MD5
5338121bc3ed91b2524b7a41bb5a19c6

SHA1
a9bd5c6932938a4484bb34fa16856e50801f3b16

SHA256
55ddf9eaf57b79eb8931f39e273ec9cecb11d21c0a8aafb3024b8c5556a47266

SHA512
60dddb08fb0063155a5ebaeab94118bbe2e382902dbf82304913b325dcfc4bb2589b22263c35aaf54ac81282fbb339362e2759f97e26deafd65bb24ba6395f79

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
62KB

MD5
718accb48559f372e13e70a860dccfa7

SHA1
e0508510fb2f83a4fffac99cbee7decefadfc9c2

SHA256
4ccc016856175e86d01d66e35a223d2ab101239195642a4239f6820df8d05bb5

SHA512
f886329fb82d1a33bb6f8c0bf96d4a07ab0c6743ce20f130b594d158ba9b14b77797b39aa8a02a9490093873e9f5c0786aaa7f8d3f1e188c0749a58060b3c537

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
125KB

MD5
5b131663db32da3c66a6a696d3cea3a3

SHA1
dff69cfa5e253454a3ec96e385be188bed74be85

SHA256
8a10d08366a0f7916e687199bafe3962818d291f6db380ab9798120afe4c282c

SHA512
5b686fc4d519b7f4e14922e0e07ce54b6386c0c4b11e0789ada46c98bbdac90997d89a2e7621b901d4e668bd03cb8bdb5a4402bd9b2a1fdceefa285375cc3612

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
82KB

MD5
79c87eeaaa33d4a82c2ffaa1ae124f69

SHA1
16372da0d335ac98b2cd5d60fc23176b1c5a8aae

SHA256
58ea22f3b00093c7223f463ece208cbd5c082c60826338dee594f9e1e09904d6

SHA512
5e9158a520e57a64a9ed2f89983d8f824260f44dd954f843c98714bedf7ae54872e5dc0899b229b9646464224c78a073016c7f120cdfe8728eb1d0df48b93903

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
127KB

MD5
2cdfc73595d334069615f0c6c12eb7ea

SHA1
3856fcec0bc46380a1113a4c99b397ad42f93ba7

SHA256
5b1cb6b5a576f581170d1f675cb940c64b0c76e3d0ad52ebebe1669b40d8471f

SHA512
2dbcd8b3432e3b5ec55aa82b0f7caaf6500bcf02f1d69b7969a179bab3c0071bf363ed75eda8adf3eec7ee8595dcf948845760990abfb6ec88d54935c84efa5d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
125KB

MD5
e7a5301e6e75d3c5e4ba97a00f5c6928

SHA1
a94797b1d5dbd97a82a7801c4285cb0264116225

SHA256
e56c0f6c6f1e8c9ead3af49595d8a6d6573db35e79948af24f86d11da27d7ab1

SHA512
b6e616a65c42ba9347deba1aa60a495334d3ed2e8d767d8ef538b203191d5e957a555081fd4fe01a7c726472f15c3dff542f7d54279298101458b18151b7f067

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
124KB

MD5
5bdd05d193cade6c9e97e69fb01e45d4

SHA1
a2224f49fe1beb2254bcf0494ee336df3df764d2

SHA256
a25123100ce15548f3fc0b51f18133088fd62c62bcc1dca65519db99c66ee348

SHA512
fd250ca2cad0f2e0b750f7ca1f4e0edc6539f6b0dd4ec37be9ec96f04eaecb2a13747d7e53217654c15bf5a0de352ced0681d9bb64663f7b0b31acf352f4edd2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
140KB

MD5
8e2cbe2888c0d6ff73759ade04c75aa7

SHA1
6072e4cb9f155dcbf1ca59cbd729e891726d1e80

SHA256
fee30bbf0fd8413dfed54b6051f10e352a4a3d29c5ac16bdf7eac34b83849082

SHA512
e58d3d9cd818fc47c958e74966fa9dd3cd4953e7d46801294a535c96c9a80d8bf45c046a1000aa9853cf2fca7fa05d7bdf67b648780f54916d971eab68ad68b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
45KB

MD5
7e5413c3a6ce09f6a2a743d29eedba6f

SHA1
c4ec0f5ce18ab8ca05564cd50a94e76706e93c77

SHA256
c9fbba1685c673cb7de030007dc299510a9faad798de6c34be90fad5bd0bb24e

SHA512
d491fa581e810d58a48b187147704c6f4e1cd2167949a4252313cc3515676cceeb824fb891c232e80ca18e01326ac41f083ced4351ec3deb1298b99925d501a5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
193KB

MD5
217b0574c75b8ee18f196a45f1a0f8f8

SHA1
a3017e9351f29e49a212e635ea45ce5eb6e5ebe7

SHA256
9e2f2e9bbb176ac37e9574a09b673dae6e177ee5e2ac4a65a00a5ce15c04c83f

SHA512
f7fa9479f15eae65ae885d50e33d400ac454051117411bfc0d8cf9886a9bb949db13a928756fa34109a677e4a5966ac88bca691ddc0f494b99b17ab39892f2db

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
92KB

MD5
3008b2a55f959e87bc0bfe9542e2fe73

SHA1
39625769fd9162181681a3ee79f7de5bccdc404c

SHA256
ac1d26eb2fc253ab1a1fb402abf2c28686fbc25bc16889b41e94db55724ddaf0

SHA512
dfa08e21c01a6479d9acd2f398d76c56f47b4553cf010a82ed3ce802c21cf84ea5a8bad5d04fcdfe041a70a0eb4f67a29c3fa346ce05b53e3f94f55c5b6445b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
232KB

MD5
67fb095b3e2e9280d8034a53a0e87996

SHA1
809ce78a8d1bb17f342ef1775d93449894ba5d5b

SHA256
1dd084e213689a2e4d9fd4bdd5264ca4d89e83211ff6dcdd4c8688b7eba62b99

SHA512
b8cba83799cf222d5c2e124ad0312cdc7336b6d78821d6da7ba8fcc4ae1620bed80918b350fbf4362e8e63f39c56e83b43b39e7706e3c3f221b382c51673368a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
22KB

MD5
f14815c1a8e53c609b333340e5131765

SHA1
ec99411040651db6edeaa806e21e8ceb489a2249

SHA256
e94b2d322e588eeabbc7f9053c2af42db8d59c64e171aff8b3d187ae825c3f8a

SHA512
31bb25e7f3868f551efc73e93cf40c5f058cd5cab2a0db7f135fd6147af38a0ba7b4e99f89c7380ded6b406adeaea86a55405ba9b62d0a44b72985da64b0f616

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
102KB

MD5
a4df88847ae6e65b40b7fb43f00fdb21

SHA1
7678cf6c0a7bd6e43792546cfb1b7e3ec405916a

SHA256
e9fb46d61b04edafbeceb786d9128d435eb6de202697d9ebf898cbc8da521e9c

SHA512
b9b7c96a1d3a51339afce0117b8121062b5f520130e8cce4ec46ce0eba92afc5787d1a4c439b2ff5283a09538f5816bfbb0ec2af844cbd85340d392f24f65833

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\982280aeb2c114df2cf5393cebab49fd\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
64KB

MD5
10e07b47d869997d40fb9974fdc886fc

SHA1
0ec57cdf388bdd4b94481a631e37ebb9516480d7

SHA256
c57b8c13cfce8a7f5b3aeb9b101b7b18c30e859384ff4718a99c9778aee37e92

SHA512
29e132bd817dc6e35861c4f64ac15f51619a2b9c1a85d5625ee25365ccd480e11b34baabc1b1f578614f9c44a4f43b3c9b5534329c064f80404489d221f25393

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b4d27a62fdf7d3c2536b4da7c5367e42\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
e800186455b5d53fd9000237012ea578

SHA1
7d2b305563cf860dbaa99fd1cc679518be6c885f

SHA256
d93bd7614e1862ebc0c1fbc9253f8e46362c90b44fa89da2a9eed24788b69835

SHA512
83ff5deb25306b0c8e865b5db463a2ca2e68f2c462661d0f77316ec838839db5acd94235447285f3cef2eb8460a8b8357eeaa1d1ef7b5bca80ca3c91c87a7ea6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
576KB

MD5
f318a084c5b350bf7eb972577fed5e8b

SHA1
599a2f7a8d6c5f7a948afeab896dfe70ad54c038

SHA256
b092fdaea00ee56b06ec883f02c0e85e0b3677e6395a544d790b2f98bb490f7f

SHA512
5f58ca7c0ed6185e1b323aaf6ec8e5089a9e36593502649c4640edd1c794d33b458cb6fffe95710e6aa328400f41a1172bf7a2f20b610b1cd592aef09eb388ff

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
60d5c630df57df9782f7d6abe1b57442

SHA1
322470d20d8f5e555c51dfe6e6e6610f41966ce5

SHA256
9eb81be5d01eb2971b876f11a1aa98cf50c1aa1103606a34b43c3c7e7f18ae3b

SHA512
ecc430966b3b6158c21b28513989ef121c9082931cd79c147b1679f72b6403877e49a164fcfe116ddcb10a2ac1c8d28b34fbd58d42851dbdf8f6ed092fcdefa9

Download Submit
memory/332-270-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/332-212-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/332-204-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/332-209-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/528-448-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/528-446-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/528-427-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/528-421-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/880-459-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download
memory/880-276-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/880-265-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/880-336-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/880-337-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/880-287-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/880-341-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download
memory/896-425-0x0000000074858000-0x000000007486D000-memory.dmp

Filesize
84KB

Download
memory/896-243-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/896-385-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/896-256-0x0000000074858000-0x000000007486D000-memory.dmp

Filesize
84KB

Download
memory/896-248-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/896-235-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download
memory/896-238-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1452-499-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1452-511-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-512-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1452-503-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/1648-230-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1648-169-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1668-234-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1668-177-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1668-172-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1668-171-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1728-451-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-485-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1728-483-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-444-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/1828-493-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/1828-504-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1828-490-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1888-215-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1888-228-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1888-226-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1888-222-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1888-217-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1936-231-0x000000002E000000-0x000000002E156000-memory.dmp

Filesize
1.3MB

Download
memory/2120-528-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2120-508-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2180-185-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2180-245-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2200-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2200-165-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2200-1-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2200-6-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2200-7-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2280-200-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2280-251-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-192-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2280-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2280-199-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2360-374-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2360-380-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2360-426-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/2360-414-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2360-397-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-49-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2796-213-0x0000000100000000-0x0000000100145000-memory.dmp

Filesize
1.3MB

Download
memory/2796-89-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2796-48-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2804-343-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2804-369-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2804-351-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-368-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2804-354-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2804-367-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-523-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2824-529-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-534-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2856-540-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download