7d29d8fbea0eb87732d59ad378e5356a994269a7264cf266144551ffcef2c7d0

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 12:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_655ce179d4c1c4bbfb3e6f4f2e2e6bc6_ryuk.exe
Size

1.6MB
MD5

655ce179d4c1c4bbfb3e6f4f2e2e6bc6
SHA1

43ab5a6d6cb861aab438f1e75dc9894d0ab2dbdd
SHA256

7d29d8fbea0eb87732d59ad378e5356a994269a7264cf266144551ffcef2c7d0
SHA512

8a3c8c8a100ec44f4b8384728f857e3dd03527edf9be4a94d1b84b57a6d670459773dd5cee6ef7bd62aaeb465836bdfa572d4711331c81e626fde1cdd456dc00
SSDEEP

24576:OvW6agTjA09bGeEoCks7WE9F5pwg8zmdqQjC60jiHkU:/6/T5SebCks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2996	alg.exe
2720	aspnet_state.exe
2576	mscorsvw.exe
2412	mscorsvw.exe
1584	elevation_service.exe
2600	GROOVE.EXE
1260	maintenanceservice.exe
2184	OSE.EXE
1692	OSPPSVC.EXE
2844	mscorsvw.exe
2976	mscorsvw.exe
2452	mscorsvw.exe
2476	mscorsvw.exe
764	mscorsvw.exe
2820	mscorsvw.exe
788	mscorsvw.exe
1464	mscorsvw.exe
2968	mscorsvw.exe
3064	mscorsvw.exe
844	mscorsvw.exe
2336	mscorsvw.exe
1648	mscorsvw.exe
2532	mscorsvw.exe
2420	mscorsvw.exe
1960	mscorsvw.exe
2796	mscorsvw.exe
2252	mscorsvw.exe
2388	mscorsvw.exe
2852	mscorsvw.exe
1000	mscorsvw.exe
652	mscorsvw.exe
380	mscorsvw.exe
1528	mscorsvw.exe
2928	mscorsvw.exe
1632	mscorsvw.exe
2820	mscorsvw.exe
756	mscorsvw.exe
1096	mscorsvw.exe
1712	mscorsvw.exe
2972	mscorsvw.exe
1436	mscorsvw.exe
1500	mscorsvw.exe
1648	mscorsvw.exe
1356	mscorsvw.exe
2616	mscorsvw.exe
2712	mscorsvw.exe
1140	mscorsvw.exe
2180	mscorsvw.exe
1216	mscorsvw.exe
2112	mscorsvw.exe
2884	mscorsvw.exe
1864	mscorsvw.exe
3004	mscorsvw.exe
1436	mscorsvw.exe
2548	mscorsvw.exe
1620	mscorsvw.exe
1928	mscorsvw.exe
1980	mscorsvw.exe
1752	mscorsvw.exe
1504	mscorsvw.exe
2952	mscorsvw.exe
3060	mscorsvw.exe
1860	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
480	Process not Found
1712	mscorsvw.exe
1712	mscorsvw.exe
1436	mscorsvw.exe
1436	mscorsvw.exe
1648	mscorsvw.exe
1648	mscorsvw.exe
2616	mscorsvw.exe
2616	mscorsvw.exe
1140	mscorsvw.exe
1140	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
2548	mscorsvw.exe
2548	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
1752	mscorsvw.exe
1752	mscorsvw.exe
2952	mscorsvw.exe
2952	mscorsvw.exe
1860	mscorsvw.exe
1860	mscorsvw.exe
2432	mscorsvw.exe
2432	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
3000	mscorsvw.exe
3000	mscorsvw.exe
652	mscorsvw.exe
652	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_655ce179d4c1c4bbfb3e6f4f2e2e6bc6_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e54196e53d2ec148.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8D4.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC5BF.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB49F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCE66.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA13.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC3C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC27.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBD27.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2156	2024-04-05_655ce179d4c1c4bbfb3e6f4f2e2e6bc6_ryuk.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeDebugPrivilege	2996	alg.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeDebugPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe
Token: SeShutdownPrivilege	2576	mscorsvw.exe
Token: SeShutdownPrivilege	2412	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2844	2576	mscorsvw.exe	37
PID 2576 wrote to memory of 2844	2576	mscorsvw.exe	37
PID 2576 wrote to memory of 2844	2576	mscorsvw.exe	37
PID 2576 wrote to memory of 2844	2576	mscorsvw.exe	37
PID 2576 wrote to memory of 2976	2576	mscorsvw.exe	38
PID 2576 wrote to memory of 2976	2576	mscorsvw.exe	38
PID 2576 wrote to memory of 2976	2576	mscorsvw.exe	38
PID 2576 wrote to memory of 2976	2576	mscorsvw.exe	38
PID 2576 wrote to memory of 2452	2576	mscorsvw.exe	39
PID 2576 wrote to memory of 2452	2576	mscorsvw.exe	39
PID 2576 wrote to memory of 2452	2576	mscorsvw.exe	39
PID 2576 wrote to memory of 2452	2576	mscorsvw.exe	39
PID 2576 wrote to memory of 2476	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2476	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2476	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 2476	2576	mscorsvw.exe	40
PID 2576 wrote to memory of 764	2576	mscorsvw.exe	41
PID 2576 wrote to memory of 764	2576	mscorsvw.exe	41
PID 2576 wrote to memory of 764	2576	mscorsvw.exe	41
PID 2576 wrote to memory of 764	2576	mscorsvw.exe	41
PID 2576 wrote to memory of 2820	2576	mscorsvw.exe	42
PID 2576 wrote to memory of 2820	2576	mscorsvw.exe	42
PID 2576 wrote to memory of 2820	2576	mscorsvw.exe	42
PID 2576 wrote to memory of 2820	2576	mscorsvw.exe	42
PID 2576 wrote to memory of 788	2576	mscorsvw.exe	43
PID 2576 wrote to memory of 788	2576	mscorsvw.exe	43
PID 2576 wrote to memory of 788	2576	mscorsvw.exe	43
PID 2576 wrote to memory of 788	2576	mscorsvw.exe	43
PID 2576 wrote to memory of 1464	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 1464	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 1464	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 1464	2576	mscorsvw.exe	44
PID 2576 wrote to memory of 2968	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 2968	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 2968	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 2968	2576	mscorsvw.exe	45
PID 2576 wrote to memory of 3064	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 3064	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 3064	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 3064	2576	mscorsvw.exe	46
PID 2576 wrote to memory of 844	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 844	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 844	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 844	2576	mscorsvw.exe	47
PID 2576 wrote to memory of 2336	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 2336	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 2336	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 2336	2576	mscorsvw.exe	48
PID 2576 wrote to memory of 1648	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 1648	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 1648	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 1648	2576	mscorsvw.exe	49
PID 2576 wrote to memory of 2532	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 2532	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 2532	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 2532	2576	mscorsvw.exe	50
PID 2576 wrote to memory of 2420	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2420	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2420	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 2420	2576	mscorsvw.exe	51
PID 2576 wrote to memory of 1960	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1960	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1960	2576	mscorsvw.exe	52
PID 2576 wrote to memory of 1960	2576	mscorsvw.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-05_655ce179d4c1c4bbfb3e6f4f2e2e6bc6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_655ce179d4c1c4bbfb3e6f4f2e2e6bc6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 1ec -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 240 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d0 -NGENProcess 1e4 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 238 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 238 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 238 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 260 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 26c -NGENProcess 274 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 280 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 278 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 29c -NGENProcess 260 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 280 -NGENProcess 29c -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2bc -NGENProcess 26c -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 264 -NGENProcess 280 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2a0 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2e0 -NGENProcess 2bc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2bc -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2bc -NGENProcess 2f4 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c4 -NGENProcess 2d8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 2d8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 300 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 304 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f0 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 30c -NGENProcess 2bc -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2bc -NGENProcess 2e0 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 31c -NGENProcess 2ec -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 30c -NGENProcess 320 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 324 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 31c -NGENProcess 308 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 324 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 330 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 338 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2f0 -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 340 -NGENProcess 338 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2f0 -NGENProcess 33c -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 33c -NGENProcess 328 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 328 -NGENProcess 348 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 324 -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 334 -NGENProcess 348 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 35c -NGENProcess 328 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 338 -NGENProcess 31c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 274 -NGENProcess 1e8 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 338 -NGENProcess 324 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 324 -NGENProcess 31c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 348 -NGENProcess 334 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 23c -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2600

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1260

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.3MB

MD5
76bd15bf49f5d1ce41a898eba709366f

SHA1
8e464d3cd9c03221d5a00e7884e405edf60315c1

SHA256
6df473fbe0fc599414460385ae94ba8a2c2c494c3870a0dc739b156af195bb47

SHA512
c8efc082d0fc1e83135ad20ff934a4ca18be09748b072d8976de78fa6489a5e0b73050f2626bd75fea7f343ce03f7c95b55b7caca39a2604bdbfd9fc50787fc1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
493bd24050d73f736293ae52f6b87628

SHA1
f4cf761f88fe32d11ca26ccbce4a570f6c2aa30a

SHA256
ad89343286b4e4df4a5e1bd2f110c2a3cb75437dabb53ebcd57cfe5333a7d8d0

SHA512
7e8143dafc1121ca4c59bc3df7a9f929cf37c1781c4b387329994d04fa02c492f567d6804611aa61a9c88d187978cf9d4b391290486d568a863bffd0ddd271da

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
534bae6da8bfd116875f8e43781b186d

SHA1
91c67a9c6f2e4c00b244589f97eb3eaed2aa81bf

SHA256
99a4f607a5dc1fb34c768e6aaf8500ffac81d11ca2b7223ec3855a15ef1c3d8f

SHA512
2ae7559553f9ecc69e308c6fc81015f0dff70fa2f095134b7c9d5f3eab2d1a9892069478a1575dfd09702763cb8e9191a02c144706dff50d329f38bc425a1842

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.7MB

MD5
fcaaddce8a5ad9c1ce717a2fcf3843f8

SHA1
81de096b6fe8d2d037442d13ba18e347d8283997

SHA256
da5ccc796dce3b1dce118ee124da91b1b426f3c796f102392bb5fe83e6b08423

SHA512
a3a6c0c9534cc9d24ea24df6385b8c9e9ed4215ac7a31c9f1d486591595ffd3ea29d2162c978ac15a626f2d5bb21fb65db9bd50272cd67541a6223335b09b834

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
bb85dbf1eba0c555ef1d36752e91c032

SHA1
8945c06a5c332077878845505015d31fd3320d1e

SHA256
f70d125ed7e1124b5b0635a8448dd872dd6fdbd4553665f6758ffff610e54ec1

SHA512
091a4baac514f381a161a51e2f70b2681152300cdc576cf3df7e21ecfa7715c046fb06dc346d3d86db0dc5366cb2b59c911d65f7b317fac2b74a07133cb91508

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
714cd93f140cd014b0bbb7a0e9df03ea

SHA1
804cd5f5c77e95c56eabdc5bddbc6871a23db573

SHA256
5c9a55624b601c1d28b3979cd172bbd27ec9dca3f52af976292e30a9117060a9

SHA512
9ba440e8ddf637587dd021501760c0de91f903710de3ab6e3370e5be7235a9bf267f569cef18a2c8e7f806abd1971b4cbfa74e92ca0397ce25e0f8eb84617fd8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
75a6d30805983e211dbb9ec32523d7b2

SHA1
4fdb57e028bcb6e409346b3058a4f7ef89b3ef3b

SHA256
0320a4cfe142e9f45a47c33c1a21ed138a4fa4f2bb93674f5be93d5c111f7dd4

SHA512
1516f7b1f896d3fe3214bfaac2af4ee1a8c64db1b7bfaef2f8ab6a15f3f01549d99000e1f9cbb7f93c97fa37f524dc0701c3c487aedf0a768e9b2187bb08ad5f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
aa5e9851b32d4b6caf91dbc7284e3822

SHA1
90d1e4faf2dd4640b0cf2147f819097c0a6cefb5

SHA256
a9edb24d2843c9f5fc5a98f94f071115375c3c571cad033199dade3edee322df

SHA512
98b63077a5d98481b620e5d6758d3266b5da0d9260a546a682d5f2eeda473863d699705df6f3c56c5622d97e24e0f9d240fbc9bea3f871974306f9e32f5e3a7e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6bd733b9d6652ab4ce9ca60b19137bb2

SHA1
9bf129de312d64aae6fd444cf76c075d2ba2b1a1

SHA256
a3e6c7d807b248159f8a9ea3a173b12ca57420f168990798bf898038d392131a

SHA512
89ed6a425ae88fe1259a85b7e9b9c7414216e9bdf4a5ef5c12446321f9e7905a5e0023027dfa20e7a66cd2448eb9205a85f2db904a29f1bde68b0e7500809dff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4d531f261bd9a68fb17206a1a4c15eb

SHA1
2e8614c2e1eda0c37eaec4f19fa6fa80fc99a106

SHA256
c794e565fb372584b4a5078ed306601e923438ea9733075f1fba6f93bd26e769

SHA512
27296deadc402471291fe5a579cb122e6e2920ca3ef0751dae2db1a766caecf963888aa7345b5ded3b749b863513d2731f27c5b6476825e130e822955bc7a380

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
085955ee3316ad88f3dfbe014b13fc94

SHA1
9e3763921d329df5667140f660c172d33e7b6aea

SHA256
d493d81ac012ee619182c11568b7283b663baf84098a0ad4c34a12afd9b309cf

SHA512
e713d6d43b3efadf20a83520e3490232180bb793f797c39d95ae425831c14978dd66be8e277b0c1589f8f5bce900c3aadbe960995631175e66fe5c5c9f3de18b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
478b6fd35b472b52b975d819e35b1e22

SHA1
4dc897884ea24401a2553c8743f9c2720c17acf8

SHA256
c246d78bde530b56ee8b3f84506825d6c378e5fc4c754a7225c248c1b9c141c5

SHA512
bc67a33986d1301f8705e484f3853eb37515c650d803e784d682700d181651bc9433a56fb8fbe118a23634c3b397b78768f9820020574b3c5b494e0d4ad66983

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0ecf7b6ecbffac0e51ce28c74a8b3f88

SHA1
e356cbbceffbf49e510a8914ac519480f792b5ef

SHA256
d80face10b2ef1ceef7389c761cbf72cd1ff88a75f9e41f9e53553a07d581137

SHA512
93dec73e6a22a909cb60e8044f05b8ac69b3e2bfff49385bb03fc1d7b5dbda42025c4970c0b3f0c92451c8bec92e024ade16007f7c3085c5c97eefdbb41333cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
0d55f10629d59b9d9038e5099eac5bcf

SHA1
e027c3dc20b119fc3acd47bc7a057b6ac11a02c4

SHA256
49b3bb2cfffaa43359d1d65ec4892b0e7ec8bfcf39c6bc7c2354297f8345e9a2

SHA512
8c7a78bfd895e9e38b2703dc6e29f34e348fed3a33eafd9720abc13623ec78c2b4b778a175d26c64fef8cfd529ba75c58e9b48db26c92e12528acf378596604c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
79d686e66ba91cb437c9948bcc3d0ec5

SHA1
c106c3c808698b31d98168f555651d78d5cf062c

SHA256
37b18159f6d14aaa6d72102d865712e57b359f03112f6327b5d80bc7f127dff7

SHA512
ad27fea5939c6aedece13fff7efad05a0d8368788c3e40dd6a5de9cfe9a9596c1ce658e50916c81784bc1049b95620d3d1ce068c6280e9ced958f3d1435bd264

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7a07a1993b2638e9e93021dd5ba521a1

SHA1
a58438f1b6334126b31bf102caacf6c2476a9dcc

SHA256
ef192d844a97769b74a1f7f79c982e9f604852ea9b54fa3a0e7a192d689be44d

SHA512
5ad5b6628c97379abb8867ea732f5e082c1b62e4288ceab192fac61ef0e9700890e85692ee753dbcae8c8ce85ed3dd04cf9a9479298b931d8365c4ed750123b2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
3a437ce55d325317c50ebbb4bf139d10

SHA1
afab18d0edfffb9160f6244051f2e8f56bef5d40

SHA256
f05e12e0279bc587968a8f51596ad530be0b7d8f79dd78ed327071a2ec9bd2a1

SHA512
3092ccb0580e03577908f65e08902c0505c38e2d107ddaae63feab54cdefe2302e80642175bc165e3bb370ca02f5c1c62b351188a2e54b0f3a6fa5ad9c42985b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c37b2b7d4af47b539f57f4d80f11b060

SHA1
d6efef18b6f10889fd4f807e303c7b42a9b9d819

SHA256
b4288bcab6cdf4776771a493f37b39b6150c042b181c66d2f07785dbd4ca2c48

SHA512
dd291f3fdf5990c0da03b6b55d2136d9a345528f4fbad89157399a14e13ed5c93d847fd969ac8480aa8a7c33aee3845b88cf563967afb732927fd6cfbadb7981

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
1.2MB

MD5
897b12eca7bfa1059ad3957fe72b0177

SHA1
2b1e3459384c170e285ba8148d37660025505846

SHA256
970198e2540c685643bc118581c506d8f578425d724e3c1ef69208b66e447d48

SHA512
999d76951291d899e5b6964027baa58b134a63a876d3f8c26b53750e039b67ff9b68edc002b6ec71779b3f142b6863511892905a3ec676f4b17fa3ca2bef44a9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
1.2MB

MD5
e6418e2882962cd3c343cb83335e49b4

SHA1
d455e3ad5c99e0386aac348c1cdb03c9b6f8c783

SHA256
233da56c7ad28f37d1d23e210878c70596fdc5c1c6b88304617517d9c1a465b4

SHA512
ea9d9a8cf0822013e49d643b6af0bb708454a41f42e00705b699a430bcec1efc98fbcf7c75c03b85a5fd5e9646294d100c252e33523c60ad9f017fab58194598

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
1.2MB

MD5
a6f7bcdb344eb87b464be7fe88d33e48

SHA1
39900d6336220e88ff9ba375868bc95fe51e9535

SHA256
a33540bb5804346c85926b5dc58d84933cc5a3a43a7f69834dff9abe4d8709c6

SHA512
9302460a959aa730c5e4dcdfac3e35725effb0cffd31a0dc6fb63d6fca2b23d28c1c4c31c59d8b3164754f03b71ea240cbd4f1885caa0963a513017945c98c9c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
1.2MB

MD5
806093075974eb0244ca7d97ed1d9038

SHA1
5daf7345380e0a556d3a76dd28e00632cf860ae5

SHA256
30ae1dd03d59492a88cd045485a449c9d5a6fb55480177c6106981c55ea3daad

SHA512
b3030d6e3ed860e6dbbaac785fbef45e1a5925b54bfe5e594f2e917b05e514d88c9f85fd3c1606981c0d3725ed12781a9a0058b3cbb092136b136dfc12613e5b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
1.2MB

MD5
70983da09396aef9c08a3167998f4cd4

SHA1
16bd9728dbb4a9cc8fcf7bdf1aa9aa889b71f5f9

SHA256
63d90a39a0c12286a34c97a2fbd689310bb196bb84c0d30d17672701669d4ef6

SHA512
af3248808c7c0eadbff5d4b3768e3795197004c7e42de4b6b6f92e034bf79215ba5ba1fd45e417f15283cad0f0f0a224604703fe9331685f7d16cb56cca7792b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
1.2MB

MD5
758b46f0cc371555adc6cf3f4aeff850

SHA1
4108348d5d164b8eb1b5587d84fbe0f25fd37e67

SHA256
a495583ee90a74687e681069cdc9558b7261592e785e279e244bbd1234a4ace8

SHA512
2651f58388805ca43801a09d678861608c54b1ae4e6f45ec35203923d627d4133eb31e464e47e146812ceb3ae19e89626de04a69137abbf827de28a89df8ae6d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
1.2MB

MD5
173d719b66f92f8a5ee44825b4a17dfa

SHA1
0ce2562a76c2ac812d00da1b2e41e14a46dfde76

SHA256
3050af4dc28c6022823232eeec701063c97403706e27c0e33b5304181fb2b49b

SHA512
9fc9e3114a037b3ebea01213fb82ae6fa161fd8879afa8d18bc5fd43f1ff6732fcc0c707f6b564f1b626dca0972927b7b65b503afe2a4abd9ab4533e26cbe126

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
1.2MB

MD5
a784ff7ba1a351ebab3d4a554887943f

SHA1
df6738dbad2cd5498e16895a7cfa8f0d2d0d0bbc

SHA256
83b7a81534875333d7b18a8aac38aa2e377f40906439404d8feae8ef184d7444

SHA512
d445940b2101e031db1fe5eac2ceb34e76116f9534f9e6784260dc8aa32218b3a469ce55f8f33abcb392d6dc5a364b10ab0fc0acb2f3a712f8e7adc7a334a33b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
1.4MB

MD5
38f0503bfd0199b6ba8c3116c5af5d44

SHA1
a02619c74cc52864c70a88a75d9d9d00f1a1f887

SHA256
3330cb676cc6379f9d624897f88a517014fae127370eedb374026e9d58ac20b4

SHA512
50c757831db8719c257824d484bb93f73ac4017f6ea91d57b700f82aeadfba0822e693cd28ff7fee8b37b10c8d169321b2c8365a933b7b1ffe098a9d3020cbb0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
1.2MB

MD5
e622f797bcd224f5acc750f597ff3bd7

SHA1
6fe43d64fa9624bfefa85e7d439315b91db15094

SHA256
258ddf4f65d05daad3b2d5f3ca4ecf183183ae5026c036569e35887279c25cb6

SHA512
c75a44284e8488d3ca7dffbbad023a46cf741ddd68b01c67e55f2028e3bd22708f652a3effe2696febed2033cd0ce731b47fb7564690778c0dcd9fd6a9b8b7b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
1.2MB

MD5
a706b331f8ade22420bd562d2c2d207d

SHA1
3541cbec8f5ca3fc8854489da14ab54f651e86a9

SHA256
1ba75872af4e6db3340f5bbe47a27742f780e1b78edcb37f309e26b1c221b237

SHA512
a284dd426a8a365a4c742af983a638419e4856682352d7f262d73d0d1b4f25375257c1b2795a67ac72ab01802547ef1003621a319b6d3003af9164c90f402b04

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
1.2MB

MD5
3133070833731a41fd1a7b1150807280

SHA1
b6615decd77f35b08442ece7c60c6a7e8334a475

SHA256
867050c53be6d2d07aef9833c080d85fd23abf36a3f4b77f97358cd7ac27f2de

SHA512
7c3a0c5d76b9813ff69be41cb5e866b8ab26ef1db0ffaf0b1d60e2672e446b95edf3a10a5d9fabe3c620f52cae5e7de9ad01071ebd93d9a276339fec2bab992e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
eb6da74c5e47eeb743446c491a871dc9

SHA1
37c3243695690cc3b5601acb382bb28d66688020

SHA256
c0af049e676f322c85773e6454b1fbd98ac14ced8026f3a00ee6878c692cbe16

SHA512
e0455736609790eb20a1375ae0f47030e8b7f47afdf464a31e0f90facb553a6b064e4a1af4881e3881433e76a1c464efb421e3e8096cf4639b2cc6ca70b0598b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
0d667005744973587092c38075fae48f

SHA1
0d8af36bdcded03ce1337ab11694b218f0a02a5e

SHA256
a53db970ccfef2434412a75a9cf211d9fbd3993ecc3d0db3d4c23cc79b914eb7

SHA512
e70116d1381385ccc563994659e3d5d0c8385a40aee7a2674ef75c28b0a24462c514b5f530170811991852214d0a2266e1aef9ad87910be7137fc01dbece42df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
2ee0ae0c87a2f064a714be71b6029e6f

SHA1
01466135c51f94a1a2b24cfda07c4570c3aea1af

SHA256
fdfa418d9b5b7f1b2f31b20926b372144cf33bf64c57b308458cdb4e8abffd16

SHA512
669e8de4dd038bc68247ef971869fb94b57664c393ff6f973465bad0a7e8f6e2bf236bdbe008988bcf940c9a4294ba2f2f3ea83b9e0e1f0efb97f73ae8014735

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2069a2f4281411b586e476744b5a2569

SHA1
7615e8ea054f005c0b5844aab7d90c9e39b498db

SHA256
5ccfd5e53836f70feb004c4c2df62f735dfc660c5303e9cbc23857d03d7a5c2f

SHA512
64cd6cb2023df90896a3ebeb59eedcd975962bb50050b37e535548d162db2eee699e6f2db6b14f3593db925258a0329009d1957367553337676e917a9c4cad91

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3ce4b26a9ce527805391a444f18ea7dd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
fd73822f7954f8c33ae4ddb29703103c

SHA1
4b100fe60da0b73a69a5c0ed3220e927275be29c

SHA256
0219d7ee7d5a48ecf197faae1e3187924f8b15117e68fe8f6a047a5da0dce853

SHA512
1874903a3bf0c4138dc0b73c083b703f95f3f490f1f7a3d791fc82371e325aa28720b9c4323224bc1d37de25347fd6622de0cad8e4d26b909b08da053d9dac0e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
6f9f108fa2279e1c28463809d1ade2ae

SHA1
f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d

SHA256
bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8

SHA512
9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5309dd4c277eb83b6a9b45906f665b34\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
ac74b60dfccb99e57b97cea38d6fb4d4

SHA1
f69650b1025eb6a6479b1a832645871dff98067f

SHA256
deceecf05b416f97767adb3bc637e3778ded77866108b46b7217db21a740e9a4

SHA512
617accf09b14af20cb1cf7ca28c3f56d058e83634bc58c2720b33c35b67fe6dc99ee2b60ff5268dbd7e200d042f42b1456791d7cbde00c2ecd88a2cb9f5c9370

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\eb0946efa2eca91ad3d9e170c3d0ed93\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
f92fb6aca05b4c1ac3800d0f8b152dbc

SHA1
2d848f83596cd1991ba0eb72a246cea5ba3fb774

SHA256
e58ee5cb24c922969548fe4a3a0a0988c13b8b1e4140c5ed7bc73512ded47deb

SHA512
653b0af9d45a5d0aec27c3b3fe6e9ba8dd5cb5b5632b3a9135e7928abb242597edbe5ab7f926ffc8d8d59f1e9053af90db9ce23a571b03a37e25d8e172045044

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
69ef851fd08fd3ad8692c6c253c4fae4

SHA1
411a81bdf620aeb0adf164dff9e4e7ad2a85d7d6

SHA256
d8fcc13c81436fbcb32f6619361070a0d3074e9ed44f5bc2890a7fb2806d7684

SHA512
d85a7f63947928c791bf86eaf3308c0f8a89e991b4f246d226ef7642d058cf550fa1da24d92904ad8f96d83cd0ffbf50ce87e845cd623c7a15e3d7e4e838ee6e

Download Submit
memory/764-350-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/764-373-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/764-374-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/764-372-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/764-360-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/764-354-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/788-401-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/788-391-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/788-388-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/788-381-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1260-93-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1260-86-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1260-87-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1260-97-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/1260-100-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1464-397-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/1584-64-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1584-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1584-71-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1584-124-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1692-123-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1692-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1692-116-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1692-127-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1692-133-0x0000000073F88000-0x0000000073F9D000-memory.dmp

Filesize
84KB

Download
memory/1692-332-0x0000000073F88000-0x0000000073F9D000-memory.dmp

Filesize
84KB

Download
memory/2156-8-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2156-7-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2156-0-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2156-12-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2156-1-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2156-14-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2184-310-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2184-105-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2184-109-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2184-102-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2412-49-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2412-56-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2412-50-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2412-113-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2452-342-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-343-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2452-318-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2452-325-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2452-328-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-348-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-359-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2476-339-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2476-335-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2476-356-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-358-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2576-103-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2576-34-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2576-35-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2576-41-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2600-75-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2600-281-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2600-81-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2600-77-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2720-31-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2720-94-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2820-390-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2820-376-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-365-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2820-389-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-371-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2844-305-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-306-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-299-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-292-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2844-291-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2976-327-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2976-311-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2976-326-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2976-312-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2976-302-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2996-25-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2996-24-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2996-17-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2996-18-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2996-83-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download