0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
Size

1.8MB
MD5

2439a6762146ed676b6543ec7df96d4d
SHA1

e0dfda4aedd4764487db81dbe2b47b93ed0dbc9e
SHA256

0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808
SHA512

ad75668a696cf5d510c00e57c169386713f1693336565bf64139937da593bc9c550a50494eabd9338d5c4bb77fa495eb263b62a7d1f544607dd80d22ed78dd57
SSDEEP

49152:ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUDmg27RnWGj:avbjVkjjCAzJBD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2080	alg.exe
2688	aspnet_state.exe
2012	mscorsvw.exe
1988	mscorsvw.exe
2932	mscorsvw.exe
2100	mscorsvw.exe
1652	elevation_service.exe
896	GROOVE.EXE
544	maintenanceservice.exe
1032	OSE.EXE
2692	OSPPSVC.EXE
2800	mscorsvw.exe
2172	mscorsvw.exe
1908	mscorsvw.exe
1732	mscorsvw.exe
1596	mscorsvw.exe
1580	mscorsvw.exe
2696	mscorsvw.exe
2564	mscorsvw.exe
1188	mscorsvw.exe
1556	mscorsvw.exe
2796	mscorsvw.exe
2124	mscorsvw.exe
2040	mscorsvw.exe
2052	mscorsvw.exe
1744	mscorsvw.exe
2520	mscorsvw.exe
2728	mscorsvw.exe
2988	mscorsvw.exe
1020	mscorsvw.exe
1548	mscorsvw.exe
836	mscorsvw.exe
1052	mscorsvw.exe
2232	mscorsvw.exe
1208	mscorsvw.exe
992	mscorsvw.exe
2660	mscorsvw.exe
2952	mscorsvw.exe
2092	mscorsvw.exe
2200	mscorsvw.exe
1856	mscorsvw.exe
2360	mscorsvw.exe
1704	mscorsvw.exe
1984	mscorsvw.exe
2716	mscorsvw.exe
2268	mscorsvw.exe
2824	mscorsvw.exe
1712	mscorsvw.exe
2376	mscorsvw.exe
2556	mscorsvw.exe
2192	mscorsvw.exe
1920	mscorsvw.exe
2300	mscorsvw.exe
2168	mscorsvw.exe
1300	mscorsvw.exe
2008	mscorsvw.exe
2960	mscorsvw.exe
2268	mscorsvw.exe
304	mscorsvw.exe
1516	mscorsvw.exe
2376	mscorsvw.exe
1520	mscorsvw.exe
3048	mscorsvw.exe

Loads dropped DLL 34 IoCs

pid	Process
464	Process not Found
464	Process not Found
1856	mscorsvw.exe
1856	mscorsvw.exe
1704	mscorsvw.exe
1704	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2192	mscorsvw.exe
2192	mscorsvw.exe
2300	mscorsvw.exe
2300	mscorsvw.exe
1300	mscorsvw.exe
1300	mscorsvw.exe
2960	mscorsvw.exe
2960	mscorsvw.exe
304	mscorsvw.exe
304	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
3048	mscorsvw.exe
3048	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
1684	mscorsvw.exe
1684	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
2284	mscorsvw.exe
2284	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fe0f80f33f41c52b.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_de.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_pt-PT.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\psmachine.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_is.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdate.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_kn.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_es.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_gu.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\GoogleUpdateComRegisterShell64.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A33.tmp\goopdateres_zh-CN.dll	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5071.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73E8.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54A5.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68F0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP362D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP64DB.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP586D.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4902.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2540	0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeDebugPrivilege	2080	alg.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeDebugPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe
Token: SeShutdownPrivilege	2932	mscorsvw.exe
Token: SeShutdownPrivilege	2100	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2800	2932	mscorsvw.exe	39
PID 2932 wrote to memory of 2800	2932	mscorsvw.exe	39
PID 2932 wrote to memory of 2800	2932	mscorsvw.exe	39
PID 2932 wrote to memory of 2800	2932	mscorsvw.exe	39
PID 2932 wrote to memory of 2172	2932	mscorsvw.exe	40
PID 2932 wrote to memory of 2172	2932	mscorsvw.exe	40
PID 2932 wrote to memory of 2172	2932	mscorsvw.exe	40
PID 2932 wrote to memory of 2172	2932	mscorsvw.exe	40
PID 2932 wrote to memory of 1908	2932	mscorsvw.exe	41
PID 2932 wrote to memory of 1908	2932	mscorsvw.exe	41
PID 2932 wrote to memory of 1908	2932	mscorsvw.exe	41
PID 2932 wrote to memory of 1908	2932	mscorsvw.exe	41
PID 2932 wrote to memory of 1732	2932	mscorsvw.exe	42
PID 2932 wrote to memory of 1732	2932	mscorsvw.exe	42
PID 2932 wrote to memory of 1732	2932	mscorsvw.exe	42
PID 2932 wrote to memory of 1732	2932	mscorsvw.exe	42
PID 2932 wrote to memory of 1596	2932	mscorsvw.exe	43
PID 2932 wrote to memory of 1596	2932	mscorsvw.exe	43
PID 2932 wrote to memory of 1596	2932	mscorsvw.exe	43
PID 2932 wrote to memory of 1596	2932	mscorsvw.exe	43
PID 2932 wrote to memory of 1580	2932	mscorsvw.exe	44
PID 2932 wrote to memory of 1580	2932	mscorsvw.exe	44
PID 2932 wrote to memory of 1580	2932	mscorsvw.exe	44
PID 2932 wrote to memory of 1580	2932	mscorsvw.exe	44
PID 2932 wrote to memory of 2696	2932	mscorsvw.exe	45
PID 2932 wrote to memory of 2696	2932	mscorsvw.exe	45
PID 2932 wrote to memory of 2696	2932	mscorsvw.exe	45
PID 2932 wrote to memory of 2696	2932	mscorsvw.exe	45
PID 2932 wrote to memory of 2564	2932	mscorsvw.exe	46
PID 2932 wrote to memory of 2564	2932	mscorsvw.exe	46
PID 2932 wrote to memory of 2564	2932	mscorsvw.exe	46
PID 2932 wrote to memory of 2564	2932	mscorsvw.exe	46
PID 2932 wrote to memory of 1188	2932	mscorsvw.exe	47
PID 2932 wrote to memory of 1188	2932	mscorsvw.exe	47
PID 2932 wrote to memory of 1188	2932	mscorsvw.exe	47
PID 2932 wrote to memory of 1188	2932	mscorsvw.exe	47
PID 2932 wrote to memory of 1556	2932	mscorsvw.exe	48
PID 2932 wrote to memory of 1556	2932	mscorsvw.exe	48
PID 2932 wrote to memory of 1556	2932	mscorsvw.exe	48
PID 2932 wrote to memory of 1556	2932	mscorsvw.exe	48
PID 2932 wrote to memory of 2796	2932	mscorsvw.exe	49
PID 2932 wrote to memory of 2796	2932	mscorsvw.exe	49
PID 2932 wrote to memory of 2796	2932	mscorsvw.exe	49
PID 2932 wrote to memory of 2796	2932	mscorsvw.exe	49
PID 2932 wrote to memory of 2124	2932	mscorsvw.exe	50
PID 2932 wrote to memory of 2124	2932	mscorsvw.exe	50
PID 2932 wrote to memory of 2124	2932	mscorsvw.exe	50
PID 2932 wrote to memory of 2124	2932	mscorsvw.exe	50
PID 2932 wrote to memory of 2040	2932	mscorsvw.exe	53
PID 2932 wrote to memory of 2040	2932	mscorsvw.exe	53
PID 2932 wrote to memory of 2040	2932	mscorsvw.exe	53
PID 2932 wrote to memory of 2040	2932	mscorsvw.exe	53
PID 2932 wrote to memory of 2052	2932	mscorsvw.exe	54
PID 2932 wrote to memory of 2052	2932	mscorsvw.exe	54
PID 2932 wrote to memory of 2052	2932	mscorsvw.exe	54
PID 2932 wrote to memory of 2052	2932	mscorsvw.exe	54
PID 2932 wrote to memory of 1744	2932	mscorsvw.exe	55
PID 2932 wrote to memory of 1744	2932	mscorsvw.exe	55
PID 2932 wrote to memory of 1744	2932	mscorsvw.exe	55
PID 2932 wrote to memory of 1744	2932	mscorsvw.exe	55
PID 2932 wrote to memory of 2520	2932	mscorsvw.exe	56
PID 2932 wrote to memory of 2520	2932	mscorsvw.exe	56
PID 2932 wrote to memory of 2520	2932	mscorsvw.exe	56
PID 2932 wrote to memory of 2520	2932	mscorsvw.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe
"C:\Users\Admin\AppData\Local\Temp\0b6c2b68ea9ebc0913a0123d7e305a685b7ec480b6b32ba9918aa8161023e808.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 250 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 278 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 1dc -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 244 -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d8 -NGENProcess 29c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 284 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 244 -NGENProcess 294 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 278 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1c8 -NGENProcess 284 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 2d0 -NGENProcess 28c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2d8 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2c8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2c8 -NGENProcess 278 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2f0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c4 -NGENProcess 2ec -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2d0 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2d0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2fc -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 304 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e8 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 20c -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 308 -NGENProcess 314 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 318 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 30c -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 308 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 328 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 314 -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 318 -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 334 -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f0 -NGENProcess 33c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 310 -NGENProcess 300 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 338 -NGENProcess 344 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 334 -NGENProcess 348 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 300 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 350 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 324 -NGENProcess 33c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 354 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 300 -NGENProcess 358 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 35c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 338 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 33c -NGENProcess 330 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:896

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1032

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
04d302f592ecc676772a23e2b17e6894

SHA1
ba7dfc0855711e636637c7894ffa2f23d9c75ddf

SHA256
deeb9605e5a66afb292d93af70c28c2aefdbc6e406e5b5165d5830ba61c9fcfd

SHA512
2b4ee980aa41f4fcf7ffaced69f39123226f8aeb1d499a256c47247a62d44f6b49e681804a341a37264958b9972aff7a3aff1ab9d84fd2550adbb811e6ce9e09

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
f84c15e9a8780804973523ab98e8a7ad

SHA1
8cafbe6c73f493322498bb8141b27f44c21032dd

SHA256
6d0c06d8609bf836b2fcab425e895a589948d2e9e526646604089cc1331eb34a

SHA512
f4ef79e9e6b7b14a9c1acee7f4746406f5b745979f38220f3da10e4a03338164e65b35dae302f6acbbcec9db0e0a160ab6afa3b455fe451434c53f0d168ecb10

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
9233812edf120c1da8eeda8f9242056f

SHA1
c71c5af494919917e84198fa15ad16acea4a4a1d

SHA256
9683177c21d46e8da715f561a775796e438b2785717a1c0b63cadb93c154f7d3

SHA512
0dbc8b344f18af767388fc847650443bf89cb79360a1aa48b622449617c825fd96e57effb22c5c930222a196a23c458fc044d2967bdf017cdb7ec99587822b63

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
6bd4385714342e32b83c2f5e649f18d4

SHA1
94f207f14af726abe872e290f2d311e7febb8a04

SHA256
8b2597d20b5cc53fa4c4a9df138a8375288af598604da92468a9ffb934df5272

SHA512
a6fec7dfcbf544b51f6dcce1cf04465d995edd471aa9bb0f8edc236308d85a696d2842e0790ffc7b8f7df3bb12cc2416b9bf770ba911b906cec8787019de16ef

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
360852d03fd2bea156f5357c7525e163

SHA1
0f0aaf3c55ae01ac2a50f2d12488fd49a38d0a46

SHA256
63f09d268dff91f26ea83f70b09bb7f6b4f8c4dcce569bdbed7464b8b0505b31

SHA512
2d830e9f22ff4f89fe08092721c32865b8b4f1cf4343697470eccb2ffb97b331ff85c2b562f63fdf1f43f3f6da772154cf30f94ca6994b469d2b7c11d12c93f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
4.1MB

MD5
356636740a7eabee65a974803455397b

SHA1
468a8b92d89b9111490bc3cec24e18c782abadb7

SHA256
c59f393cb82eaac51b6b22ed9d80f90fbec37228945eb598d293252a2fa0deb0

SHA512
b73579334aae427046bc7fad06d2f930647e4ff9feacd427ba512eb7d8eff719a954f94c391db72a1cfa09328a615ec6d9be60b86fe5e200c815cca005ee29a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6db9419d7d5010590c9c207c321e62e3

SHA1
9a1a15469ba8efad634bd7ea4cdbe98389efd337

SHA256
89db6bbe1071aa67a16b14ebcc182d158d4f1ea2509741941a50d3413a5291b2

SHA512
f4f0b1123ee9808809add932a82b9ffb5173d4691c54a013bb2a5375114951155fd50474649cc63337a7bf82a4e785ddf697d7bf8073b9b1186b8b409dafc023

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
9b35d9d27bfe071cd98a4ca4b857e8e9

SHA1
91ace5b51ee762337cae8fd7e76485f659b8ef57

SHA256
9101539eff1cf58f5820198cf65578db7bc660a146ba91d2720493c13d428034

SHA512
9669e0ece4bb7bdd8e9f61d9a7e3e4b22ccc30dc21522a1055cafbd003af7556dd05537142af67492e0bccb2c5c930379d9220f89004214809e2dc1915b930d5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
519c94f118c6d8a7bc45dc7e947bc8ad

SHA1
db243d8d570363c459b3d3b07f0c895e5f4a2cc7

SHA256
955e216a1e58ae875236f93a92f989144cf7cca0e0240e94518cfa7f9ac9a882

SHA512
e62882cdf0fb2a90b4916ee647dc22e2c76d89246d411f5593e2ee1741b02a144f38c98e966c2d16809be4f8284cc825be44395373c76e4a3f573007120f548c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.1MB

MD5
b18919267e7b00c210fd505709cbd5a4

SHA1
e4a7a39fd930fec1ad85b8e162c725bb9eef8992

SHA256
b2c06742c086bd2f58b97151a8d45b5a5f2b9c984ceb268928630d7d931bb5b9

SHA512
faed3d5397a8dea25976334a12c75dcb761182746e02660e7bdd4ad374060445c4e875fa0be10fbac444046533afb9ddccf6d57635740534f44246160621d102

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2b954549125a4b31be0a2455f44bbf5e

SHA1
c592de6bada0f9bcc2c30971d23199d79b53350f

SHA256
502c6ee8eef1da22d22155f736417b342c67bddd59b95a5228d2242a39f2492f

SHA512
732a779f825a7cd160e452ef075fc955119acf867985c1b74316754665d126befc8fbe59c63feb726822101bf4bd3fa7f67fa19c2e6296d7353b931a2fb45003

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
67bc059d087d48756c38ad1532521b19

SHA1
ef3b08f07578b571ad8a3390480d41d595360b89

SHA256
98aaa5d1218817ceb026654cbc19965e63a0b438a5423d7c008b6954d08b8862

SHA512
1cca324740ff90d44979aac5f93df97f31876dab847170c7dad50c5aed19b6794772bd81650d563602fbafad05e2a4cdf20c68e156be8d4c9a83b3a4a9688cc4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.4MB

MD5
8770dac7530f85913ccf91477c939f7c

SHA1
fce2edc4672477b89453c66e351ac4175be07994

SHA256
024abfea4580227a4a0dd6072bd754507175e8454fb20ec784aca02bffaa75c0

SHA512
0fe70d2d80b993816f7a9a91379a1a11777ef10f67daa636ebfe8301ee00664503bd30e281684976453c0c4f9a50c4b06fd3c694f439a4d298fd15f7f3326568

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.6MB

MD5
f6a6a5de0cc4d1e52c2c08c18c6d979a

SHA1
a4f584607978006bdc311d3a6aa5f2877185633d

SHA256
a0f56696131149291f8890bd4f174f11b05cf31bb9ba584f2a755d447932229f

SHA512
ddf59f5b336bf55494c4ab1c413596a7835c841363deaf5fd587bafcd2ff9b1fe33e0e8b3c6d701133f74c1d6f158925aa2dc6eb254f6ee06038d80d95c221c1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.7MB

MD5
c2e062e8c23f1c5ba2130122f86faf56

SHA1
6b3fb2608584030dfe99216896323df41123b957

SHA256
9fb6f25c4e75aa4caab8c38c9a84eba8d3d018963593d5a22d830781cb2d21fd

SHA512
c04a6fa408da6f7d7c22e8525d0e199b07a777f370d2b729d6d0e9d82436c70779f7fdf01a40778aa574e533039eced8590ba866c37d79093778cd5c712a7082

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
c34fb1af75d1970ab14111ea51af8350

SHA1
a6a699ca68dd61044c21cd6561a08b299f02e307

SHA256
bb130f69618f3ee7b8fed1bdb3004c6378b3e35dfbcea9a64cd36ab01aa3a2f2

SHA512
6c61a73672f7d9ea1a54c27afc61054152f68d693aee8fb4375735de4cbea0bf0f83210c5937b762422ca4bfdcbff071cc9f06c92baa80e2e8d453deeba336cf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.3MB

MD5
fc26dc1a7707cc527370cbc1ee053509

SHA1
f9397ba9466560cb928e1c8f31101be9b048463a

SHA256
f6ee0d3014b5eff7144b5ff0bd4e313242160575635231c21d8fa773f0e9ed3e

SHA512
37cbb53f4ff51d95d2a7ce7df1d9f036f69358f0ae05a35bccfbab23081251a93dc657339346a570455b6e337cb2e3dc9ef9736d14ffe69a9512909379025f1f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.6MB

MD5
53ee1fc984019e1f5a07197f7ad36b1e

SHA1
f0621599518e15519817a2f240a809f1d426a19a

SHA256
a4ab69e01cec512e043acd2fb0683b99317a00922aec8d84c2c96c1c8ef0c4d3

SHA512
e23f4a4b67113b6cce5cf7ee601dcb2ad6842df5e4e965a6ec7a8060b5f53908b87a83e68df09508b34026ba8cd60c392730092c701c8e4a806ca1e0c2a36abb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
71f323900c6e32b807ae0c9ceef91f99

SHA1
2f0ce47476381614368088b2c9c1d4ea9c4ca99b

SHA256
7d52d0f4d9463531352f9bc213a4160c9451777b7685f330d4579d6b5f644602

SHA512
4bc9d94bfd03b25d73e76231f3358b9688d68c2af4c4a4d9f5fd01aa590e0b4ee2288f509f34f9911398c4299d3e757856410462084e6374b74f4ba5f29fc3d2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
6a2243ebb7343571fd2b47c498ed82ed

SHA1
036de921ca83477bea879227a627401768312c3a

SHA256
908d98525d885a6474c398967cf9526fc3badd4564bc959bc0a0826838bfdee3

SHA512
6b243f3eefb694af7b98374bb62f912e820fa4fd9fd92ad7dc6a4b22158b7e112000d118e5032a24362830701c91db70396fafb37e59d3e7544a238cb192cbf9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.1MB

MD5
759234a1ee92d5918d0e8c6d6d557cac

SHA1
dd1d52ffd241eeb5044ed14a061f28efde99e8d9

SHA256
bea4f6127803343f7bcb82c6fcc47d7f3dc609f3407ed60d5bd56192692a3ea1

SHA512
b4248aff05e9e324e91979b4aa2011befa4ce2c15d0e2e3b2aa02e1c2fe782ccb1a2e40af1312e20a973bc5571a66ca1f6984a33cd78661e4bfdacfcf1495925

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.1MB

MD5
30b3573408e5ab9f09f8b7a7b515a800

SHA1
82b37bf178358f5f36877c0b035a906e44831e0e

SHA256
4a8b4bebec7755ac1d2245cd71740f8d1fa0c0495ffee5b28517bec4f49d6a1a

SHA512
7134722ca6059129aa8310835d324aeddfcfac42070bd5d597a98c1401fc753fee09547a50fb2ffa03be3c1fe720f70156a6f9fb15f2795aff79cc2d0fea9935

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
960KB

MD5
d4973388d72cf4b057f9e433a6f679f8

SHA1
85eba96924362630b4fec1690d14a17922558166

SHA256
22c487835b9735209c448ac21e3624b20ba53ab97888bdaca750b1237cac3dce

SHA512
498a1fcebeff344b0641e0e1da89c8acc9744de9970e559b24faf95987d3a9a2639920d6ad95b2e5c10b41d82d4208f4f3e6afdc380ee9ea62e2b3b0e990ed7b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.1MB

MD5
f48f6047e02555724485031d2a0e3b23

SHA1
443fc491d5994a8db33ff1540372722d4306ed12

SHA256
4984cb6be0ecd008f205640bb8bf9e8d4589fc6ea5a0c388453bc67d0d3b79d5

SHA512
7ef9f4761250adbc03e0cba2d53eeaceee548e7898bbb61d73ca0de332ab06e29cb92a5616c40a10efb08d5c37082342dc631f31dd54cbe0fce77e21ddf158c6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.2MB

MD5
313b5921f7ff58d60bffbf27ab5d6a47

SHA1
da24b0475bc41f8c2d9ce9eca21eb607a55816c0

SHA256
516e3939b9aeb3fb43a63b0f102410eeaa2a779cefcc23bc9ef61b992b6aba3b

SHA512
063db00c9937386adf7a077c8d43182142ce570de628f2e12d9bf40651b75fd3caf57080f84c1a3012d6d6b3c2c12695b4185932db951d96e4264d97dd543f2a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.2MB

MD5
0b64afdb93c7cf80c3532b7d0efa6be2

SHA1
6fd5441f06e4cebb1cbaae2e7f091a0681a7f0a6

SHA256
a91cb8d505dde7992a6330b32a25c3e8fdee2031bbbe4a7e6637ef212cc89550

SHA512
892664d452d421547afcf908187bf968fa3c7ea5b11c3715761d99e95873194bb445b47a12beb08bdc0d87cce3be6f7725c4b2c3126f88db45229c8c89075b0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
62d13825a4423ce8cd6851153057b984

SHA1
e06b89531a5a7273f8efc21212da457579ee466b

SHA256
26ce101bbdc61daba82a2c8ea55bb418690d392b6c221c63835b920535804cf6

SHA512
63d4bc7413ecb629c3e9cb22493238d6cb4fabbe0f94d69b92766af165035ab8848c20dbbb96e0b8ebec400e9dd3f00fa3cb523d056e6d75cbcc82da8a14a8ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
eaa5fe4d15155431d8d63413e5655f0d

SHA1
101361b62f4ba7dd3519c4b0228465d91cf90470

SHA256
ce72586315b4c9e485b83b5efabd7767b549f4429ff991cd8083b1eebdba16c5

SHA512
9b38a12b318580aa91befb31dc07fab46d81243993076de951a5930803152b0d0513bb87e69b2e3b9fe9363958b38d93727f79f5045c4472c3a4d4a66cef1e85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.1MB

MD5
08763d043fbdb96c60043f76c6e4ddbd

SHA1
07de469863fa0ca9e7930bd2c370b2aef3d9c09a

SHA256
5568c83fd8b05cb44aac88e0695294f8fd3731d31bdc0001c566afd29e52aaeb

SHA512
48d5f916d9556213fc8b9e672b542abc17ebf2371b316283cedb6fbdf867e5b47a9e6ce844d8ee08a48f25120e279c56b6d74d5d0a78a377889d5467321f5634

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
69b26d4a17afd8d76c315f177c24139c

SHA1
b31de20234ed67e7fc1436cb4c843e705ebdc479

SHA256
a1abd1d55c7f1deeae5624cb99a1920568e740754911916b40185bbd957d70b3

SHA512
0d94149e0b374a34d2c0d6c76247cfba49fd7dd1d0a3f97d22455f23c49ac8e44e2bcb1a1c1301b4ac743ff4893e00af03d8a779c25bce08f15bc176be8102c3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
64fc7faf041113f48256ccb087ffa718

SHA1
daf9ed8f34087e4c52867768a93fb7124bc8acc0

SHA256
4134e777012f227e7830d560aefc1c402364ed4c4dfb43b5ebc45235b9aa98f0

SHA512
723c0c549a998152031c6ba9406afd2a8cc23acce1dcd330bf54ffc97740eaa6d01c9b68d8fd03de52db0599316097ee56bf110bc6010c809a5be88b48177b0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
f33f843de50c51673bed39e8745f378b

SHA1
67a17bbea73da664b6cb5b5185826c2a6ae9024c

SHA256
3bb61c2f0f3253ac20598159535b5cbd38a60d12c7c309764d1c7aa32da4a511

SHA512
d7739d656c96a4364fa835f367267e6b43f01d95eaac0a57859b8f2e30536da2944018c512ae0a5b6da933fd1df544c1693649d2f8e03df31edb64502a98deec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
8f121662a647753ee412ed11a0114a16

SHA1
e0050838bc07222381334c7192cf3a8c3d6f993d

SHA256
ef12b1ae03f2c1919dc08a40d2881add91ec6ba0c2b905b0d44ecf0e29e31bda

SHA512
9ef8797050ff473be2b2872a6bf4723619c0de32525fdc4baf0ad4a4bf7950f6af5bfa2865c74f1df226c860c1bc18e8e0fa1bd116066e7b5a1fc3fcb67170a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
832KB

MD5
9c1524f6bda3c64c7fbf70c05c6faa14

SHA1
04355993b44cce901e2929920b482c545f1c4979

SHA256
0757ee6915633918bd73725e4b4c107ab119a954cb7f837f9344dff7d2188f0b

SHA512
0145a627d5b99a6a1ebfa124a51509a25af7edf018273cb4f97b85843f1f65f69d5c66ea48d1fecf4372490a6e2a9bb2dcad6a1892173686cf6a9f34ce0ab14a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
128KB

MD5
c34e481422ac21316ca00b87d3c78b9e

SHA1
469fd6791adad668994083981ec04968c0671075

SHA256
578e8294994a5290188d34d094410dc4105dece399be9aa29d47f4e42c131c20

SHA512
8dc8fb7675934d05d17a6a10d45c6a68c28642116e9ffabbe897d0a5b1488fcf5e6fe3f22faac8cd0df428a84c87fa4dea99e0f3889c12d9f1cd1e9a8690c509

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
7fb6eb3abc3de489f6cb1ad56141da65

SHA1
a84ce2552bb57d3adcae00f2485e6a4ad0439c2d

SHA256
77b82812df67eb672d396ec7081587eadb989d9b9099aa8e2a0bbedcbf83e0d0

SHA512
1f316f1a0e679b373489fb53587e09b27eb01be6ab9a1fd29dbfebbd55e5c23ffbd6122312f01a177287f77294a20e1e46737f95f30cf83d570e627fca5cfbb4

Download Submit
C:\Windows\System32\alg.exe

Filesize
512KB

MD5
0b0a9417d3f8c77fc140871ca361df64

SHA1
fe6f8eed3bd8e969a8d7af94b4489d4216a84e70

SHA256
37e2eda864436cbc2ec17f348ee254d47321253cf869670e73e05c696251b001

SHA512
0275d8647b93b1fb0682d83ba14aef11f071dff180bc574ed1953a29eedaadf5477d46f29eb1b080b788278d7a3d59f8142a4e02599344550011c3da1e853964

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1b183590ee5dd1ec9eb02c0a910cbc30\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
db66b17adc2b38ce15c04254dfbd5226

SHA1
d5809dca4851a08a767eb680993975ddc7ddcfad

SHA256
87da45f1389710a30b414fcfa617c7d7f2a6291bd657a9119e63fbe8449ee1ee

SHA512
2f59428ae7523e23379e3d508bbaf6dee83258af95bd8ea6b42d1586eff0efd146f90e32f5998c3e31f1008b956d2726846b0198d4d7c3a7a37db299716d39e2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2caab4784ed9265fa1de3770b7418834\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
de4a57e03c8b004c53dd2f3b0e6df019

SHA1
dcdda28ef40fabe4c37262b553774d6ac3ee2990

SHA256
45b776c67ab68010bf6b36b256ab4f82c8cee6d140074e7e31b88bfe823780fe

SHA512
95aa404ab788e4a4bbbda0308321cf28fd81fbee17dfb92a0a0c1a35dc67e1120f787ea9ae82fefed9dc6b66893accacaf82f59b6772fa83c61052c8d52ddf4d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\51c9cf602c45730a7c8aa24c14c69576\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
136KB

MD5
2f92637a03bd090bf561a97332da5e4a

SHA1
1d638ca41c306e396ac29b3693dbcfc861736c83

SHA256
6c49a3dd68c38f3c1d4dad573aa6b7f9b1661013c3b06f60aecf67e1f61ddb02

SHA512
53575fda6920cb62abdde01a071c4e9ffe6da25aa97a56e3e2e37d8f0bc4e362832625a0f733f1fe7086c0010502675dc7be4a169a23002a87745b820680df29

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b3df3d08d8b51a467ba4440ebdacee83\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
5d41b5f12680eaf676fa663d4a17bf61

SHA1
30c44a10d11ae8bd42d70ffdfcf0d59cf46e271c

SHA256
9baeccc7a1cdd75a80654831147feced7f729c564da8866454c48ccfd0fc52e8

SHA512
9929f6565799dc2fa193e9eddaf42bbbabdc8bb53bbb738340934d9f4c432cd78fb3751f833654b3e82cfb3ca97b1bc428d6e09952f818a512a77bd02ee1cf03

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
568398798f41106b3420f2efe8b0650b

SHA1
6e400ea9e8b68e5ec3b5eaea4c834a607462c544

SHA256
7e2e5b9499f2956349637ebd9d5e8e8c39ff1e14672e9d1a10ae47e8f4ae3940

SHA512
9f5e3632d931bb6fcbda159289daf9111f479be365273b0abe07231f9817ddee9c57f3ac0d62bbd4a6f41aa8b07665f20d451293ecb6d41f1fa915c6bbba47ae

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
293e2c51e70a177bb65e7a7e4904a6a7

SHA1
dfd9ac23b7724165cd1a7c39ab54e4ba215990fc

SHA256
dbd7c5ab52cf79897a5f2ef82e75a8ca3a78042b66c426d5674042f91ade93af

SHA512
601a125bda961f078de10c149ead7124a9b5aa3ef129d4ec16497f9ad6e518e2dcda71e52721768677b789240ddbc7c527194dee1ca41a5a086454ace57e7339

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
392cc6e0c219b49468154d94ebe5ea8d

SHA1
b2ee4acad9d88152c77ddad43a4191ca2b279f2e

SHA256
3ede49abab3986614df793e014e55a68ce0e1a4e49135a03618398459be0057c

SHA512
4260098dbcc9ada0b027b874d0cdc5a706552403f6480307357da8a480f520f344b672ceb984dc3e146cc515e7b3f85321e3bdb53ec2a4d3288b0a7a434b48bb

Download Submit
memory/544-273-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/544-267-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/544-259-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/544-260-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/544-277-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/544-266-0x0000000000FB0000-0x0000000001010000-memory.dmp

Filesize
384KB

Download
memory/896-255-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/896-312-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/896-249-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/896-248-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1032-353-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1032-278-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/1032-359-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1032-283-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1580-533-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1596-508-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1596-516-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/1596-519-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-236-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-242-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1652-302-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-233-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1652-241-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1732-495-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1732-482-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1732-503-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-517-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1732-518-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-491-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1908-371-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1908-500-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-420-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-393-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1988-231-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1988-115-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2012-140-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2012-105-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2012-99-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2012-98-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2080-56-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2080-234-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2080-34-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2080-57-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2080-33-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2100-224-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2100-225-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2100-143-0x00000000005D0000-0x0000000000630000-memory.dmp

Filesize
384KB

Download
memory/2100-291-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2100-144-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2172-339-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2172-520-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-355-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2172-361-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-515-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2540-6-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2540-1-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2540-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2540-219-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2540-7-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2540-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2688-247-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2688-95-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2692-322-0x0000000074578000-0x000000007458D000-memory.dmp

Filesize
84KB

Download
memory/2692-299-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2692-502-0x0000000074578000-0x000000007458D000-memory.dmp

Filesize
84KB

Download
memory/2692-366-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2692-308-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2692-294-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2800-327-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-306-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2800-315-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/2800-356-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2800-357-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Filesize
6.9MB

Download
memory/2932-275-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2932-125-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2932-131-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2932-124-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download