a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
Size

1.8MB
MD5

35ce92e69f299076d54ea86ecdac571a
SHA1

46f6e4d56cbb8ec7ee66ce7e36c9cff0929e8b59
SHA256

a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4
SHA512

96a6d96258254bd55f3465daed3da532aab84703c7c320a45a1af80afc22b8c0db0b13dd909447d1a9f83c0c1dc498a11da4a2ff59329ec12fb6a76282111992
SSDEEP

49152:lx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA8Dmg27RnWGj:lvbjVkjjCAzJJD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
480	Process not Found
2552	alg.exe
2112	aspnet_state.exe
2868	mscorsvw.exe
2816	mscorsvw.exe
472	mscorsvw.exe
1240	mscorsvw.exe
1556	ehRecvr.exe
1444	ehsched.exe
1560	elevation_service.exe
2936	GROOVE.EXE
2748	maintenanceservice.exe
1744	OSE.EXE
2844	OSPPSVC.EXE
2712	mscorsvw.exe
628	mscorsvw.exe
2028	mscorsvw.exe
2516	mscorsvw.exe
1700	mscorsvw.exe
844	mscorsvw.exe
2276	mscorsvw.exe
1816	mscorsvw.exe
1308	mscorsvw.exe
2688	mscorsvw.exe
2524	mscorsvw.exe
776	mscorsvw.exe
2084	mscorsvw.exe
576	mscorsvw.exe
2324	mscorsvw.exe
2436	mscorsvw.exe
1740	mscorsvw.exe
1852	mscorsvw.exe
1992	mscorsvw.exe
2724	mscorsvw.exe
2496	mscorsvw.exe
1084	mscorsvw.exe
1136	mscorsvw.exe
668	mscorsvw.exe
1940	mscorsvw.exe
960	dllhost.exe
1564	mscorsvw.exe
3064	mscorsvw.exe
2884	mscorsvw.exe
2336	mscorsvw.exe
1444	mscorsvw.exe
1856	mscorsvw.exe
3032	mscorsvw.exe
2568	mscorsvw.exe
944	mscorsvw.exe
2316	mscorsvw.exe
1884	mscorsvw.exe
1428	mscorsvw.exe
2612	mscorsvw.exe
2864	mscorsvw.exe
920	mscorsvw.exe
840	mscorsvw.exe
2356	mscorsvw.exe
2784	mscorsvw.exe
976	mscorsvw.exe
1168	mscorsvw.exe
2692	mscorsvw.exe
1340	mscorsvw.exe
2096	mscorsvw.exe
564	mscorsvw.exe

Loads dropped DLL 37 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
1444	mscorsvw.exe
1444	mscorsvw.exe
3032	mscorsvw.exe
3032	mscorsvw.exe
944	mscorsvw.exe
944	mscorsvw.exe
1884	mscorsvw.exe
1884	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
976	mscorsvw.exe
976	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
1936	mscorsvw.exe
1936	mscorsvw.exe
2800	mscorsvw.exe
2800	mscorsvw.exe
1068	mscorsvw.exe
1068	mscorsvw.exe
1588	mscorsvw.exe
1588	mscorsvw.exe
2288	mscorsvw.exe
2288	mscorsvw.exe
1584	mscorsvw.exe
1584	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c337d8d456fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_fil.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_lv.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_fa.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\psmachine.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_nl.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_pt-PT.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File created	C:\Program Files (x86)\Google\Temp\GUM925.tmp\goopdateres_el.dll	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3C36.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEA1.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8D2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA860.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBCBA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFA85.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE9E2.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	ehRec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1688	a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeDebugPrivilege	1624	ehRec.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: 33	2168	EhTray.exe
Token: SeIncBasePriorityPrivilege	2168	EhTray.exe
Token: SeDebugPrivilege	2552	alg.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeDebugPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe
Token: SeShutdownPrivilege	472	mscorsvw.exe
Token: SeShutdownPrivilege	1240	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2168	EhTray.exe
2168	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2168	EhTray.exe
2168	EhTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 2712	472	mscorsvw.exe	43
PID 472 wrote to memory of 2712	472	mscorsvw.exe	43
PID 472 wrote to memory of 2712	472	mscorsvw.exe	43
PID 472 wrote to memory of 2712	472	mscorsvw.exe	43
PID 472 wrote to memory of 628	472	mscorsvw.exe	44
PID 472 wrote to memory of 628	472	mscorsvw.exe	44
PID 472 wrote to memory of 628	472	mscorsvw.exe	44
PID 472 wrote to memory of 628	472	mscorsvw.exe	44
PID 472 wrote to memory of 2028	472	mscorsvw.exe	45
PID 472 wrote to memory of 2028	472	mscorsvw.exe	45
PID 472 wrote to memory of 2028	472	mscorsvw.exe	45
PID 472 wrote to memory of 2028	472	mscorsvw.exe	45
PID 472 wrote to memory of 2516	472	mscorsvw.exe	46
PID 472 wrote to memory of 2516	472	mscorsvw.exe	46
PID 472 wrote to memory of 2516	472	mscorsvw.exe	46
PID 472 wrote to memory of 2516	472	mscorsvw.exe	46
PID 472 wrote to memory of 1700	472	mscorsvw.exe	47
PID 472 wrote to memory of 1700	472	mscorsvw.exe	47
PID 472 wrote to memory of 1700	472	mscorsvw.exe	47
PID 472 wrote to memory of 1700	472	mscorsvw.exe	47
PID 472 wrote to memory of 844	472	mscorsvw.exe	48
PID 472 wrote to memory of 844	472	mscorsvw.exe	48
PID 472 wrote to memory of 844	472	mscorsvw.exe	48
PID 472 wrote to memory of 844	472	mscorsvw.exe	48
PID 472 wrote to memory of 2276	472	mscorsvw.exe	49
PID 472 wrote to memory of 2276	472	mscorsvw.exe	49
PID 472 wrote to memory of 2276	472	mscorsvw.exe	49
PID 472 wrote to memory of 2276	472	mscorsvw.exe	49
PID 472 wrote to memory of 1816	472	mscorsvw.exe	50
PID 472 wrote to memory of 1816	472	mscorsvw.exe	50
PID 472 wrote to memory of 1816	472	mscorsvw.exe	50
PID 472 wrote to memory of 1816	472	mscorsvw.exe	50
PID 472 wrote to memory of 1308	472	mscorsvw.exe	51
PID 472 wrote to memory of 1308	472	mscorsvw.exe	51
PID 472 wrote to memory of 1308	472	mscorsvw.exe	51
PID 472 wrote to memory of 1308	472	mscorsvw.exe	51
PID 472 wrote to memory of 2688	472	mscorsvw.exe	52
PID 472 wrote to memory of 2688	472	mscorsvw.exe	52
PID 472 wrote to memory of 2688	472	mscorsvw.exe	52
PID 472 wrote to memory of 2688	472	mscorsvw.exe	52
PID 472 wrote to memory of 2524	472	mscorsvw.exe	53
PID 472 wrote to memory of 2524	472	mscorsvw.exe	53
PID 472 wrote to memory of 2524	472	mscorsvw.exe	53
PID 472 wrote to memory of 2524	472	mscorsvw.exe	53
PID 472 wrote to memory of 776	472	mscorsvw.exe	54
PID 472 wrote to memory of 776	472	mscorsvw.exe	54
PID 472 wrote to memory of 776	472	mscorsvw.exe	54
PID 472 wrote to memory of 776	472	mscorsvw.exe	54
PID 472 wrote to memory of 2084	472	mscorsvw.exe	55
PID 472 wrote to memory of 2084	472	mscorsvw.exe	55
PID 472 wrote to memory of 2084	472	mscorsvw.exe	55
PID 472 wrote to memory of 2084	472	mscorsvw.exe	55
PID 472 wrote to memory of 576	472	mscorsvw.exe	56
PID 472 wrote to memory of 576	472	mscorsvw.exe	56
PID 472 wrote to memory of 576	472	mscorsvw.exe	56
PID 472 wrote to memory of 576	472	mscorsvw.exe	56
PID 472 wrote to memory of 2324	472	mscorsvw.exe	57
PID 472 wrote to memory of 2324	472	mscorsvw.exe	57
PID 472 wrote to memory of 2324	472	mscorsvw.exe	57
PID 472 wrote to memory of 2324	472	mscorsvw.exe	57
PID 472 wrote to memory of 2436	472	mscorsvw.exe	58
PID 472 wrote to memory of 2436	472	mscorsvw.exe	58
PID 472 wrote to memory of 2436	472	mscorsvw.exe	58
PID 472 wrote to memory of 2436	472	mscorsvw.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe
"C:\Users\Admin\AppData\Local\Temp\a8af525b1e7409339ad8b6536e9cfd4dd7e8aea80ce8c944e9b9890985b448b4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2868

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 270 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 23c -NGENProcess 1d8 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 1d8 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 288 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 24c -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 248 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a8 -NGENProcess 23c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 23c -NGENProcess 29c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 21c -NGENProcess 2b4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2c4 -NGENProcess 2a8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c4 -NGENProcess 21c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c4 -NGENProcess 2c8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c4 -NGENProcess 2bc -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 2d0 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2bc -NGENProcess 2b8 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2e8 -NGENProcess 2b8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2b4 -NGENProcess 2f0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b4 -NGENProcess 2ec -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e0 -NGENProcess 2d0 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e0 -NGENProcess 2a0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f4 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2cc -NGENProcess 2f4 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ec -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2ec -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 318 -NGENProcess 2ec -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 318 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 300 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 320 -NGENProcess 310 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2c8 -NGENProcess 328 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 32c -NGENProcess 324 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 330 -NGENProcess 32c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2f8 -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 328 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 328 -NGENProcess 334 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2cc -NGENProcess 340 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 344 -NGENProcess 334 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 338 -NGENProcess 334 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 22c -NGENProcess 218 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 22c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 318 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2cc -NGENProcess 334 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2cc -NGENProcess 320 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 320 -NGENProcess 34c -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2b0 -NGENProcess 340 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2b0 -NGENProcess 24c -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:1780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1556

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2748

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2844

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.6MB

MD5
0d9ab7aa8e0cb825103474d89f00a85e

SHA1
531f873ee4d4f341705049a16cbe06e68a7bd91a

SHA256
1fd69a3d427caae5deb0ccaa2d51d944db5bbbf851c39f5cfd599e9391df2cf7

SHA512
10110c014f6616502172197027bbdbd34dd47a65f1f54975332acc9eb3e9f64fbcbc85e8a9f4cf2ede6dd47b8774bde3bd215ca847743010711e2a1cb6530e36

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
aa7256c0d229f66622ad3b29fd5368f1

SHA1
f19ce5090314ee5491da7f6cfca9edf771f679b9

SHA256
003f6126a3b9a95375b408ceef69d53fe48fc1b22218632adb95e40c205f3c47

SHA512
383be396fa7869770ca8a7c601d5779da3e19b9b358e717d7fb99dd335396934061dc40e3c1f5b8b56c834d7d52f6c3afeb4a016b8d8f0c4fe0b4f96de5fa0cd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
08ba1fee5203c805f69ca5041d036bae

SHA1
bc23934ec554a350e405580dd3d3d6ca1c9ea859

SHA256
5cb14646d9a40e2b68e629ef6f1c1c7a4f46880a1b3e2b498b33a94140a55ff0

SHA512
be2365214740a3afff4cf0c1fe6ff3647ea336297f1596a4958768b508f2b1cdbb089e1067c9cd8e2196c515ca3700092a6e3c60876b11f60a9462cac60176d9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.9MB

MD5
7f8cebe3989557a89fa4ef9f32c1905b

SHA1
dca7b582fd6e80720ac54db1657790f768e17424

SHA256
d6a10701ce0bed5272402005f52cf6bae40c80a581d48980d1c02175c9ecc6e2

SHA512
bb22164c82b56be316954dedaaeafe9ec04bdcfacf4dab3c88b95f748595790d3feb5bbf8ff98d0f1828cb4627839fbb7b5a10698bc5127be2fd7413994625a5

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e1a1354bb7bcc1d03a501aa32bd53af5

SHA1
48519217be637a44cd284b0bb3cd49297ea9ee54

SHA256
45d8f6c34cf8ee254e31b8000db4cafe237d765e1bc18ffb39f229326faa1599

SHA512
e1eeca9bac6b19eff439dd90e51a749b8b57a45ee04fbc7083db01d54b31ec13a09aaed0f294e1da78ae0946897f72e9dcfc9c17eeb665271f2414ae4bf65ab3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
60f9a0573df78f77ddba70069412061b

SHA1
3862ee9e0b1f4f0217c02de7ff14a4e3d10be54a

SHA256
87e9bcb77e76f581b1042d02f57224c5221dbef8dbef3a9186b4ababd411c5ef

SHA512
82afc6c89ecc143c81812dd327dc2167d7389ebdf65315abf24f320780b92f2c5614fc079f5ae7a474133522a20851fe8d18e8d22a623a06379d18ed43d57937

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d73f9c79a93b29577b8ed25f70986ad4

SHA1
c6f9dbfe6e5f9c22a18af3dca914a662f6063507

SHA256
74c4a1ad4be1ca2410f99f1cb250f222b9d73e72c9471e89c41f20f978943ce7

SHA512
4c74bdfa22f7860cec5f7eb910742207ddcd29657c84f8e9e74508f4d0c092efb16c3538abbe1dba6ae93e0ce8874b8ac76d3d77ee50e3519f4a89193e26ae18

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
d9af7af32bb7b8ce37e332633cb489df

SHA1
178c8218a772827fa5d8ff62a89173cdefa8fc36

SHA256
13e8b08a25d3dd47053e115184a3ee941073d61a25d43a69fcca962a75861b34

SHA512
f1432e82f2611e0524a07a37f1e544f0e2c7dc820f885e2f9e8d8789f486967b91072925514e51ca7a80b3728464b3cffa6d64f3a1e58d20ecfb0a2bfac4d566

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
271544c51e6601df79a31bc46001c45a

SHA1
faa04c53dd3af82cda172b989555128c8f703187

SHA256
7f0917091613b150042fa3b0b8511fe97be890b4f4792b8f37489e0fbafead34

SHA512
9d94c89b327ac7d4cfe4221e586447f70c064d8a7d7a35f52947fedf588c99e51779f34bac000b365b3a201e039b31896afbeabe467c56817d5c95baa1f9b7e9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
c6dad18fc0712bd0fde620ddcefa8377

SHA1
a9111e9439e74e4f0565520a08636b2cd789729c

SHA256
fc1fa5dca0850a17c53d3a52dd86820879855778c24aee101ef54aa5a1b7ac3b

SHA512
bb0eae6bfafc08857b50d617e33bed6f01397dc20cb0baebc47c11b5c99cac1325b7bd5bb6be3095caa137ab13f2ab1c17ea36efdd032055cb84519b842872bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7528e96b390720dce157a6c00a14e5e9

SHA1
26bec65857b0099cdfe8c393793ac8fbdcd5d1b5

SHA256
397a88901f5da07608ca1c7e0532f65e8d52d66735a4ae1e55f67ad21beedf67

SHA512
1b94a57226f2571d95c68c9ba1eba8c16bd67da8a75fc7fa369ecd84a11aacf484f559a9525afa972abc8ac199155bc233d58014aaa1863394d9b1690aa1aafe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
16219fa7f907a8f0d1f860d69738ba08

SHA1
ba204b9785b0fa068bf6186856a1a483cd8d5067

SHA256
c26c81fcc4b8598d0c3f4865b712e019693827e36d2eec8895c9d4b637875867

SHA512
199dbc343252548e1fb98b0f675ac9c86266ecd8026c49dcc1a9627fb42d5b4a8cafb403582b75bd37b05e2492ab81b99cd3714073dab2074d071381524122a1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7623795b4e35ebbc6b84beb6ccbe6cf1

SHA1
2789698629bb0526cfc0caf2dd640e40e0cd21d2

SHA256
b77f2bea446bd6cb115ea6bfb9227e0221c967b425fbc18b3b7cc7731356e2d4

SHA512
8bf7283061e401b82eb49cd832ac5851e8f6f34d2c3429e7182910a693eecf3fb6782dc1f15f00c83716edf4387957c75b92693b7ae5d6bed3e86530d4b4b915

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6b76e453c9a585eb62e46d0874f3e613

SHA1
10b6caa027064baa0750fae933529e00888aab57

SHA256
4ad39961d13b43e047bdb930e28d8bd6cfdfcfd67fe42900ff219d4d823c2fbe

SHA512
5e7e82e0adec5f7af64694b833ac5e3f7fec7d7d986ad2106402df44dccae9f508131b7c52cc39a0278e056a1e9589130f76bd4f63f195f0acce5ce7e98106dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1e5eb980b776564e8909d997bf7fac96

SHA1
05a6715c68ddb89e5fd7591a285ea7e3a90d947c

SHA256
06743297a029c3b3e97c5202ffa9c72376e38a12fee7efea48d43d0c310ac9aa

SHA512
60da306d16c15bd6b646867f5dfdca661920aef1a74e4d8183e0d9023c14349500c5e75762dc40d8e9e4f5addd864a171925e9c4b81bc1397d763776bd2fe2a6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
538d2e905097d6838359ad7e53f26091

SHA1
3c48f2463223ea001d0914799e99a7cfe51931bf

SHA256
e09578f3dc36291e4a2d459ae650ffc39185d447164ad99dca0d5cca815fb99d

SHA512
8e159e71722af6bfd875acb367bc2e1dc68e4fe244fc2b6dc6c56953a753b1912923ded8c0b0bfd491958f14ceab89be41c2d79b96fcd25a2783ef613af94afa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
216c1a8646020e8e506f42ec208cc653

SHA1
7a057d0e6ca6e32b2638489bd4b39dfd4cc530cb

SHA256
58a094e4893dce96664b216c936ae16fd3d64290cb5fd9f170a0aa5a5690d78d

SHA512
689755412cbe9b6a99c3c4783ac86a4410284d68f1dd76b5fa8f3b8b5434bd73c10435a29aac0eadc5410ffef4be60c64d81eb02326806c854063511c49244e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
725e2d66648a74997fc7aeb96086ed64

SHA1
3f0672a5216dc3be26a073bf6f59120b5abdd8d8

SHA256
6e4e0741a8217842d7b78411789e586be5332b39a54b449728430e810e9d80a1

SHA512
0c7d08d224d0541229583c6ca8c2a1a019274f4248a4b2e8881b5643a22e68d69a5f12c02ae02ea95e93ae2144600fe3b69753573ac8b1416289fa6affa86d46

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
64223e7004ec5a81273642ad23e0449b

SHA1
60567f8307fbd155f562902fc9737566c8103b4d

SHA256
390ff571a26260273ac392979da135dc5e474e8645090c9ad6b2ecb2a4ef80e1

SHA512
ecc4859419d9d413d67d6bab934f2b220dfbefc06aa6b7dd25997fa0c267787bdcfc2fe603a5c7bd9096b2a2a0429f2131ebff673236b18c1e6d3491e23eea96

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
581c49c8b3045807558139de0d8a6c6b

SHA1
04fd1b9e1e0fa170ac0f483fdfd5d65efd9ed988

SHA256
0428a8ee63ed0a547981bd13e8f214e499a5db767bb3d3b5953684944b354abf

SHA512
7a5c7e2b559660400236f7aa3eb9662861dfff9aa98758e21788a35cf0e3fcbb47305e92f58fe69f8c267ff9a06bb82541290f451892901df228a31ac91c4ee5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
68d7b94fe8e3ac5fe62e7c7922964efd

SHA1
63b62683ebf1aebb3d0be0465defab5230e20b9a

SHA256
a704b666f4955ba2aa7496f8b870da2ee871fb1c31d0082818fb104d2bb00808

SHA512
69c6f77a6ea022469dfabd6b6483334a00a4d2b2b60585a7b3e82eae370f25b55d074a07305874e935964b05381b3c4a074725ca0efb95ff3fc302c949a7da94

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
0f88fd164b389fea9917e0d7baa10360

SHA1
81b16dc38316ff664937983dd63a0758058b471e

SHA256
cb9bca7814b4c872d0a1e267db66044331a5258fc778120f6ae38843025aeea8

SHA512
88bdad1551b8c39e120fe296244971be5dafc44f259b82141cbbc549c05659f54b49f1daef7fc149bfc3eb363c1abed1656f44b3dbdd1d40926f8c74c6b6e00f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a867d3a0637e99fb74ec102fdfdbe0ab

SHA1
18b9e7d9b00f01f69af08c27d5a49353dd33f2ae

SHA256
75aa56aadd9b7158fdfa0d934ee0dd746ad5fea5c9ea02f53cd69a533d99d52e

SHA512
2534443ec422b4efe21df712df2eb268ddc5dd3741a51531e23357bd45579607ddd5e510c9189acfa0c8e14aa831542a02e5015f374695927fbef67163662957

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
178052c8fbfd7d0f117e7e5c27e706f9

SHA1
e44a31dbab5e72fafbe44cff703ba9c1fb1372d9

SHA256
e15bf521bb45923c02dd693444e21a60e56cdbdab2678b066a9cd5f0fb825c15

SHA512
4a5f046dd27313300f4217bb74550333ce64e82efbf677ce2e7b307b8d0d42076fbc8c02edf8322a6e05ad81c16e443f32fea09a494932c35f6e00dde5c194ec

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
ab80f128eeb6284a7e9cf6a2b40b7632

SHA1
720c0b1037f2b392a9e3ff7bd6918368cd98a73c

SHA256
0781a4cfe8e92a2d9bcfb09626b9bf495bd069bfe581f9a76909e6c9693133f2

SHA512
e39432e5287ea5621442ac79dfa1d25b3b4f41a9cf83742e5c1bef491f38d3d620f9ab246968a8980bdaef5b5551f1af01b753a5ac0c67e029020f658993fea6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
63de60ed31f6ab35f22e8ee24f737dd5

SHA1
dc83c1869dfc03d135e591cbb7383fc5eb26b867

SHA256
87cd83a321ffc5b305e3eb3821c6c7313006a2df2624d3ef8c52490b4e0b8f66

SHA512
3d71403c45032bcea04c7e859505632528b90bcd0ce16a4929c6a3788acb8a134aa92de08141c822874f46655d6de9ccce13ec330989b3ae4f12f405466c71d9

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
6a7aea9437da65af3226c1270ef1597e

SHA1
83af1a1a5521db8390da3e66ded915d0ab8e0558

SHA256
d2d1cb241d1c91a26191e24fc3e40f6ff4a3fd62080dbf5b4c104d4bc7609021

SHA512
92d40d40e490ac1a27ebb5ced1b8c7e821b4aa03ac13dd9f9e277bbacc53981ebe472b1ac48b7104952bd08b954cfacdb5e4b121710eefccca76c2bf47c2137e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0ca11fb3ebf8374543abcfed855e5789\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
f59e4d603ab48d18b372df51a9896fa8

SHA1
8d4100d129bdc96350783304e0f49e06df4e4e95

SHA256
d6d8173d5bd04e256290bbb4eb356e80e124074737213b43aff4e8870d786def

SHA512
b67259914ca3fd7d92a3541d241ed53960e8e4a128afdc3303b3082dc043156c0d8ac1ae8b6c8806c677dec1ba56132e694aa1b4cbe1ff8b78d213866d0cf6de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
0357fac505a1028f1b803e4170de3a62

SHA1
0ce8e6445a23e02b8b23e964e3cced0f304f556d

SHA256
c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435

SHA512
ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7bb809fad59804020c45660bbca0b2e6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
3079c64002f27555152ef8631baf9f6a

SHA1
cc00e56f7a4eef304c1272eee0b3ecf835d108e8

SHA256
96519a4091cf5d840e837f522069d553515ed227d026d626db30eedcdf42036a

SHA512
3d360dd19910cebeac516f965307cd6be7e444fcb322e1cf58dfa31c158eca764aca62651c9604d947a088436d85d5b0991f148ca074cca99173e8a94afc3806

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f9e83ee73cdbdcd452653cd1ec148cc1\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
9803610a3fc80f9730a36693fbe513eb

SHA1
86a7dd7a5702dd9b1b9a28f7db4006ce2704cf23

SHA256
9d3e3c16652ec932b768bc625e3c10df33cdb849fe3731195781d93556ab9c98

SHA512
e9eb030c5e4262208cf09d596842458607bf1236c1b5b51036f2ad01093fa983471ce2c09825d197b2913183d94aa87da825e0a605cf72b3bb4532aa591d333c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
79d96e4acf932652ae6e8528cd40508e

SHA1
f2d77bc2680f702aec8fa60d39a87cbf8e60d876

SHA256
006dae931c72fbb90aaa91cc355090c4bec7a10ed3dd649debd1d505343c32fb

SHA512
aeaaee7ad9f993b13671459f565a413aa0403093be3358b8f9edc9a931f1b576cf094498260be72a9d6595a3e88d234341bc1b89e91d997fc3870c43a284426f

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
31a4195cea9bf15cdff7c953d804d550

SHA1
cbf1b10ff7b1623a4c0acb4dcda8e2767db0bd78

SHA256
8cf530e35ee2d57643b309d154b146b941ab17ac0dbf8c3e9b8243f7edd6e15c

SHA512
6a4e24937bac152b6ab6ae86712b21648709a1313353d0238819fb44ad8bae595458e92f32b5fedb1e1a528b691760ceb860792bbc766f31f1686902008ba89b

Download Submit
memory/472-125-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/472-270-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/472-124-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/472-130-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/628-468-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/628-485-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/628-458-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/628-438-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/628-486-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/1240-142-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1240-284-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1240-143-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1240-149-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1444-173-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1444-307-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1444-254-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1444-174-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1556-160-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1556-300-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1556-258-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1556-171-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1556-175-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1556-165-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/1556-157-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/1560-269-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1560-268-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1560-260-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1560-333-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1624-274-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-375-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-352-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1624-339-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-309-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1624-476-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1624-276-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1624-278-0x000007FEF3DC0000-0x000007FEF475D000-memory.dmp

Filesize
9.6MB

Download
memory/1688-256-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1688-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1688-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1688-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1688-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1744-315-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/1744-306-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/1744-446-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/2028-492-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-526-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2028-521-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-479-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2028-484-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2112-94-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2112-172-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2516-522-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2516-527-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2552-158-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2552-16-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2552-12-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2552-74-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2712-348-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2712-359-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2712-445-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2712-409-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-302-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/2748-290-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2748-319-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2748-320-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/2816-118-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2844-383-0x00000000739F8000-0x0000000073A0D000-memory.dmp

Filesize
84KB

Download
memory/2844-324-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2844-488-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2844-341-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/2844-346-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2868-120-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2868-103-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2868-104-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2868-98-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2868-97-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/2936-282-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2936-285-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/2936-357-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download