dbd7f8a6ceded62aa44fa95de02427b9d9ce19fa8282306906cf301d9f344488

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe
Size

677KB
MD5

3c01e7128d293c0097ca0c61bf6e4ea1
SHA1

870cc9966ff8706932ddd23aed8bdeab643990db
SHA256

dbd7f8a6ceded62aa44fa95de02427b9d9ce19fa8282306906cf301d9f344488
SHA512

89f7afc61405b7c82958bdcdd56888bc57713069acfb824baf7aad9fb4f836b93eea9ab1151e96038862b0ff44a5abce222949e3b563d4547411ee56c9777ace
SSDEEP

12288:7vXk1HGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:7k1mt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
476	Process not Found
2716	alg.exe
2672	mscorsvw.exe
2548	mscorsvw.exe
2584	elevation_service.exe
892	GROOVE.EXE
2704	maintenanceservice.exe
1876	OSE.EXE
2760	OSPPSVC.EXE
1716	mscorsvw.exe
2376	mscorsvw.exe
2400	mscorsvw.exe
2724	mscorsvw.exe
2292	mscorsvw.exe
1940	mscorsvw.exe
1968	mscorsvw.exe
1604	mscorsvw.exe
2360	mscorsvw.exe
2116	mscorsvw.exe
2476	mscorsvw.exe
2924	mscorsvw.exe
2268	mscorsvw.exe
2496	mscorsvw.exe
2160	mscorsvw.exe
2960	aspnet_state.exe
860	mscorsvw.exe
2796	mscorsvw.exe
1684	mscorsvw.exe
2016	mscorsvw.exe
328	mscorsvw.exe
2440	mscorsvw.exe
2304	mscorsvw.exe
1728	mscorsvw.exe
1256	mscorsvw.exe
1536	mscorsvw.exe
2232	mscorsvw.exe
352	mscorsvw.exe
928	mscorsvw.exe
1100	mscorsvw.exe
1672	mscorsvw.exe
588	mscorsvw.exe
2348	mscorsvw.exe
916	mscorsvw.exe
2352	mscorsvw.exe
2556	mscorsvw.exe
1992	mscorsvw.exe
2236	mscorsvw.exe
584	mscorsvw.exe
928	mscorsvw.exe
2332	mscorsvw.exe
2696	mscorsvw.exe
1644	mscorsvw.exe
1256	mscorsvw.exe
700	mscorsvw.exe
2748	mscorsvw.exe
1160	mscorsvw.exe
2764	mscorsvw.exe
2796	mscorsvw.exe
624	mscorsvw.exe
320	mscorsvw.exe
928	mscorsvw.exe
2116	mscorsvw.exe
2244	mscorsvw.exe
2920	mscorsvw.exe

Loads dropped DLL 43 IoCs

pid	Process
476	Process not Found
1672	mscorsvw.exe
1672	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
2352	mscorsvw.exe
2352	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
584	mscorsvw.exe
584	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
1644	mscorsvw.exe
1644	mscorsvw.exe
700	mscorsvw.exe
700	mscorsvw.exe
1160	mscorsvw.exe
1160	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
320	mscorsvw.exe
320	mscorsvw.exe
2116	mscorsvw.exe
2116	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
1336	mscorsvw.exe
1336	mscorsvw.exe
2552	mscorsvw.exe
2552	mscorsvw.exe
1760	mscorsvw.exe
1760	mscorsvw.exe
2652	mscorsvw.exe
2652	mscorsvw.exe
2204	mscorsvw.exe
2204	mscorsvw.exe
1664	mscorsvw.exe
1664	mscorsvw.exe
340	mscorsvw.exe
340	mscorsvw.exe
1604	mscorsvw.exe
1604	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e29357fa43e3c333.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index158.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8D51.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC1F8.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E2C.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8F64.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP893C.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8871.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP846C.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeDebugPrivilege	2716	alg.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeDebugPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe
Token: SeShutdownPrivilege	2672	mscorsvw.exe
Token: SeShutdownPrivilege	2548	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1716	2548	mscorsvw.exe	36
PID 2548 wrote to memory of 1716	2548	mscorsvw.exe	36
PID 2548 wrote to memory of 1716	2548	mscorsvw.exe	36
PID 2548 wrote to memory of 2376	2548	mscorsvw.exe	37
PID 2548 wrote to memory of 2376	2548	mscorsvw.exe	37
PID 2548 wrote to memory of 2376	2548	mscorsvw.exe	37
PID 2672 wrote to memory of 2400	2672	mscorsvw.exe	38
PID 2672 wrote to memory of 2400	2672	mscorsvw.exe	38
PID 2672 wrote to memory of 2400	2672	mscorsvw.exe	38
PID 2672 wrote to memory of 2400	2672	mscorsvw.exe	38
PID 2672 wrote to memory of 2724	2672	mscorsvw.exe	39
PID 2672 wrote to memory of 2724	2672	mscorsvw.exe	39
PID 2672 wrote to memory of 2724	2672	mscorsvw.exe	39
PID 2672 wrote to memory of 2724	2672	mscorsvw.exe	39
PID 2672 wrote to memory of 2292	2672	mscorsvw.exe	40
PID 2672 wrote to memory of 2292	2672	mscorsvw.exe	40
PID 2672 wrote to memory of 2292	2672	mscorsvw.exe	40
PID 2672 wrote to memory of 2292	2672	mscorsvw.exe	40
PID 2672 wrote to memory of 1940	2672	mscorsvw.exe	41
PID 2672 wrote to memory of 1940	2672	mscorsvw.exe	41
PID 2672 wrote to memory of 1940	2672	mscorsvw.exe	41
PID 2672 wrote to memory of 1940	2672	mscorsvw.exe	41
PID 2672 wrote to memory of 1968	2672	mscorsvw.exe	42
PID 2672 wrote to memory of 1968	2672	mscorsvw.exe	42
PID 2672 wrote to memory of 1968	2672	mscorsvw.exe	42
PID 2672 wrote to memory of 1968	2672	mscorsvw.exe	42
PID 2672 wrote to memory of 1604	2672	mscorsvw.exe	43
PID 2672 wrote to memory of 1604	2672	mscorsvw.exe	43
PID 2672 wrote to memory of 1604	2672	mscorsvw.exe	43
PID 2672 wrote to memory of 1604	2672	mscorsvw.exe	43
PID 2672 wrote to memory of 2360	2672	mscorsvw.exe	44
PID 2672 wrote to memory of 2360	2672	mscorsvw.exe	44
PID 2672 wrote to memory of 2360	2672	mscorsvw.exe	44
PID 2672 wrote to memory of 2360	2672	mscorsvw.exe	44
PID 2672 wrote to memory of 2116	2672	mscorsvw.exe	45
PID 2672 wrote to memory of 2116	2672	mscorsvw.exe	45
PID 2672 wrote to memory of 2116	2672	mscorsvw.exe	45
PID 2672 wrote to memory of 2116	2672	mscorsvw.exe	45
PID 2672 wrote to memory of 2476	2672	mscorsvw.exe	46
PID 2672 wrote to memory of 2476	2672	mscorsvw.exe	46
PID 2672 wrote to memory of 2476	2672	mscorsvw.exe	46
PID 2672 wrote to memory of 2476	2672	mscorsvw.exe	46
PID 2672 wrote to memory of 2924	2672	mscorsvw.exe	47
PID 2672 wrote to memory of 2924	2672	mscorsvw.exe	47
PID 2672 wrote to memory of 2924	2672	mscorsvw.exe	47
PID 2672 wrote to memory of 2924	2672	mscorsvw.exe	47
PID 2672 wrote to memory of 2268	2672	mscorsvw.exe	48
PID 2672 wrote to memory of 2268	2672	mscorsvw.exe	48
PID 2672 wrote to memory of 2268	2672	mscorsvw.exe	48
PID 2672 wrote to memory of 2268	2672	mscorsvw.exe	48
PID 2672 wrote to memory of 2496	2672	mscorsvw.exe	49
PID 2672 wrote to memory of 2496	2672	mscorsvw.exe	49
PID 2672 wrote to memory of 2496	2672	mscorsvw.exe	49
PID 2672 wrote to memory of 2496	2672	mscorsvw.exe	49
PID 2672 wrote to memory of 2160	2672	mscorsvw.exe	50
PID 2672 wrote to memory of 2160	2672	mscorsvw.exe	50
PID 2672 wrote to memory of 2160	2672	mscorsvw.exe	50
PID 2672 wrote to memory of 2160	2672	mscorsvw.exe	50
PID 2672 wrote to memory of 860	2672	mscorsvw.exe	52
PID 2672 wrote to memory of 860	2672	mscorsvw.exe	52
PID 2672 wrote to memory of 860	2672	mscorsvw.exe	52
PID 2672 wrote to memory of 860	2672	mscorsvw.exe	52
PID 2672 wrote to memory of 2796	2672	mscorsvw.exe	53
PID 2672 wrote to memory of 2796	2672	mscorsvw.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_3c01e7128d293c0097ca0c61bf6e4ea1_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 250 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 240 -NGENProcess 1ec -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 250 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 268 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 270 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1dc -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 248 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 284 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 264 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 204 -NGENProcess 1e4 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 234 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 25c -NGENProcess 228 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 248 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 1bc -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 24c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 24c -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 268 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 268 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 284 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 298 -NGENProcess 29c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 284 -NGENProcess 298 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 280 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 28c -NGENProcess 2b4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a0 -NGENProcess 24c -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 268 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 28c -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2a0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2a0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e8 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2c8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2cc -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 30c -NGENProcess 2c8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d4 -NGENProcess 314 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 300 -NGENProcess 2c8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 300 -NGENProcess 2d4 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2c8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2c8 -NGENProcess 308 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:1464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 308 -NGENProcess 310 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 32c -NGENProcess 304 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 334 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 33c -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c8 -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 304 -NGENProcess 300 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 340 -NGENProcess 33c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 300 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 33c -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 320 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 300 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 354 -NGENProcess 33c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 36c -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 300 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 34c -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 35c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 300 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 35c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 38c -NGENProcess 388 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 394 -NGENProcess 35c -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:3044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 37c -NGENProcess 378 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 39c -NGENProcess 388 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 380 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 378 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3ac -NGENProcess 394 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 38c -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3b0 -NGENProcess 3a0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 394 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3bc -NGENProcess 3b8 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3ac -NGENProcess 3a0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3c8 -NGENProcess 3b4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3a0 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3ac -NGENProcess 3b4 -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3c0 -NGENProcess 3d4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3dc -NGENProcess 3a0 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 42c -NGENProcess 428 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 428 -NGENProcess 414 -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:964

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1876

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
706KB

MD5
35c4b20f1e7d36393cde8012acc9b688

SHA1
cbb59903b9c55a4584e9a21eabe3e1ae7e104b21

SHA256
1c0fc21181192003d562676158f50c959a8520e88e3a7c10116bd71762fbc95d

SHA512
89262068116f85545dccea4d40e4144014ca00b2773875163b615f5a1424acf5f709c8c6a8c4fe4abbf92379353cb6dc3b412a6eedecfe1c73921a79f3eb2eae

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9ee02a96b90425847001762b00d0ae95

SHA1
fdd66d1ef1db4e0927f6033559c52ad35d8cfaa7

SHA256
936aa00e0a9049f986c96d47d489f71d8d9e7b1821aa8f4385c46956a57c9841

SHA512
e920b8536519e02ea77243747adcd8ef29d80a18939793f022213121e72ea96c1f38d86b68b12afc247af8f1567b94053a8987c3ac58524aa270a9c1ba003854

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
8f21053a0d1dd4d042f57e8ef4894a7f

SHA1
84e5cfcabd482503af6e05c971ddfd1bc209250b

SHA256
5f04cdb8ba6d7c5bf4d30e1bd490baaf038a39ef86f3345fcf2601d0d3d5b15b

SHA512
7b812c30240f0f253bed6f6ae6136c2d57740efb3ca9387cc8f0b612a91d45ffef560cddf302789cde98544d1bd7076cd8e99749608f94ec001f90752fc15fd4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.0MB

MD5
01fd2a8a8be0940033377f49e220dc91

SHA1
652e3d3864283ec5f18a331fab5849c18c0c07b1

SHA256
df8524782864d4d4b66870234bec4d6ec0a6959605a51283daaa1f7f4bf94d0a

SHA512
5712cba4b0f9859025f4819aab89278046ea1abe9d8630da35703830d5dee8552bedc0de528a71017de15a8603f65634af3030e1bae00fada64a645671d472a2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
19f505c39a848ca747567396f779961f

SHA1
62a654d6bebf545884a94c00402f5c586f1d773b

SHA256
a760db9ca5d84e425d8b6f809cc6f250f43d94b338f8f31128f54341885c6782

SHA512
cbda0c916d425d762a246bf1e83e6fd23b19adea482b896eec147410bc6d51f38870d7c90ef49af077d3816bd05526bebe1ee1e0994a3a0a3abaea3a0e54db70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
5cb1e60e7ab0af3b69162c4bf0cde7bd

SHA1
4c3db681071edf0ad61d4ef2cfa82593e994475d

SHA256
c710510245333f3e8cb4a753b8647be11f4e5c4d5f490a69a3685884c3c8adc9

SHA512
6cd15edea69c151773610aefaab150e8612865c2003fb41316867d1b8e62e17b2aa47f11e74918c3b54ab588e7e559aa40c51e3e5fa36455dd8b33b6870443b7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
289f5359b35ca266d25dc33eefae5396

SHA1
1abbac8e7e4b57e3e7670011ec795b0884a99d5f

SHA256
dfb8430df6da36c2231dd0f7ac1b191e85cd2be1f02d7559bb0152570d307adc

SHA512
21e80ea1fb2bbcf6fc8fc0318e5fe6d87a531310443161eccfc5313cffa68a099567711520a05e4e44905eb17225b35407630f5586e2866d7c7fa2b0c9063461

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2466f3926110ab7716321f3e2df10d77

SHA1
bc86c541405d100390edbee5f562b346f528b00a

SHA256
74d284731ae65f17799a7fd1faa2ce8c67c11dd9ca08fb09112e6c57e53df266

SHA512
a19b23df20cc75b3e664ed435330ba9fcf8bfcdae17744764a68fa2c688b6e0f720da5fc982fb10cd13b240b581fb159c0116def3d6f5efa88d134f9a0b2b191

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cb479727b99c54b9d0f6424b1ac6ebb8

SHA1
5c2ebb222a5a610b59f4ed88dee3326007ab99a8

SHA256
9ded84393bab5058f9097adbbb99fe8de601a5c994db2838dbb968f59f9a9466

SHA512
5c509ba74698d7896cc6d7850dd4da5f4909b669588d36e96b27ec55694c2c7f5f070fee05ab40f50b6d6dec04f2f504f8f3c642039363a98919021b6aed7fc8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
021a416fca91626572fda4735df7f008

SHA1
b9695e7cad879589c086d096945e0bb702a600fe

SHA256
8a205197b5ba8a3e9edc159a3ef8881ade182beb2ecd3f0fcb480a9342a9e65e

SHA512
fcf39b633a65b9164d400af2477e3ed145a9cd4849690e38720fb6454c309d9bccc04ee38748db4378f3f02e1d3dbe0d256fa005750475cc0788411466ce3493

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6f9f642ea066075fc2a1eeca581766c9

SHA1
20f0149805394501023464b31bb1ce367e6b0c88

SHA256
a65e54e1e6ebbab14f5e15995f96231a58d13b8bc01c4d8ae66ad9c0471bd52f

SHA512
b3907fc1325c070e64ae52f135d6e503d4b9fabf26222e7eb1d893ff7bde9507bd2483902442dff1df7a5665ddf0bd959673bdeb0e3219b110adeb98c6228a71

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
54c984cdcae9fe976b133e287aff4340

SHA1
c4717ef53748c2c547c7e53e73819ade7cb125fc

SHA256
1791396c86ac4f5aa3e520f4acb69a914d3005b980759106ec68138cca631a86

SHA512
8a9cbe909e59548b916486ad586585107e4a637ca9c680b55fe73f9f21e543d3d906e228a8fc62455105e45724450a322d4e4d2c92536a7122d81e16afd03e1f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b2d5d7b71ff81b6dddefb46fe0f21824

SHA1
db9b4b998627d2b330cdc714a61e0cf8ea652dab

SHA256
d723ca5fb176a07bdac5ca71824eb9d76884fb9f72dcb620d430e5c5c9026e77

SHA512
7c5a2fe445be19fc471603dbebe3b89bb01d4613f0e540dc167c66fb392cfca6bdf66adb52752a8805ef5eaa30ffc8f8b88b9ed174d755080ae33ab122a8e933

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7a1052a0571b3332a4b57dded03cbccb

SHA1
90bae0d4a5f0bc4c4eb6e3317c3fd2c804393d86

SHA256
e29774ad25ddaa86b77989a251dcf39266576aa2869aeb659f104bd73670e7ce

SHA512
2b5aeb0814a52ddbbb8ab816fe8ff44091b3c94a14e8a14b8e94593674eb3b1be2a8ffa86b9c77c738f2c13af4f5aff603e768d44f24200a61479f71b998501e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
77c679d46178e8482bf183309130763c

SHA1
cf4491392d3b67bd3f08082879399a49ac256c02

SHA256
226b6fcee49ed04b1245e93427d4ade1f7ef686206afb37a5d6cb6cc4618ccff

SHA512
83209d0b3ceb8135dcb6503c94a9040987df1940b26ec39887648fa54d2dceeecb94a9fc05f3bc8787d37d58824c9807dba41b157f3256306cb690debb1f90a5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f996b79c6bbd8016e323abe49a4bdbb2

SHA1
233f8c5dab7c48fcd59bce29a942382bccbcf9dc

SHA256
0e2fc244ee6d3f8bc9c683048d351686f1c598d97340bf3c39bf98efb6c3f9d9

SHA512
fe0bc830db869a5f7e4e028f8528e35800ba82e90d8fe54de4a68c0393a1d02452b169931723fd176bdda3ca544c2a9f4abe772382c5ebbf98571ba5607c37d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
01eeccfc61dd407bcc89fca7e9104a07

SHA1
3b414e68de0dd0f30b936add4114050feb78b325

SHA256
6d93aafe06bded181e58d9cd79c80c93e0abeeb8c33d9c3f1e2f2e2cf102e70a

SHA512
264ad04c4ad328d47a31f09605335fac0d84ca266fc38cead1ea4a361db2e698c4c1ea9be893856bf5459937e7e0eccffa30894c705a38ae05d6a53ad330d7de

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5c4344e711289ec8c98be75fae84ea42

SHA1
3338fc230532ab9c0d1cfb4c80f1d3beb5f949bf

SHA256
708ce172e826b0c0ff3e83e923284b69e2b9e839de15c314e9c8cf23d5e3f5e5

SHA512
1c7dda23da18c5e799e6dd3199aa0d279512523cc8bdce96fd274ba2df70978933b1d69daac713597afe016f14140d4a957da283ee6f60ccd8551573718bb379

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

Filesize
577KB

MD5
fbcda625beb9ecf12992e28e5011f6b5

SHA1
4ca8ae1ff558d5913733b99ee242dd8fdd94fa44

SHA256
e42b1b069216b1cacc91bee34918c8cc133a684b5c8018339b05d7df6f709bb3

SHA512
135dcf459527a35560899579a9e130fef4dbe2957db492927896ca95851310a20ad965c07a49531b0bc5645d19fa5e1a8219f4f0c0b0c8cb4e14598a66b75139

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

Filesize
577KB

MD5
7b8900e87b7bd38c83b596ceda88c877

SHA1
a9a64ac9f2cbb0aeefb45d636574220897c2ecc2

SHA256
b9f40bfc3610312e266792e328ae53bdad67737a7cf61be42636054073c2874c

SHA512
2103b5afe7804214b86688c74872d97b586f6026dcea1b96fd7fa0b371cef224e31f7b0712f8d33d02ff46650fb6a2447f3729c787e8013975fa839de91cfe37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

Filesize
577KB

MD5
feb71b1735a926d7a73c9816aae41e8a

SHA1
9f3d768eeffbb0aa3ac7a77250ba96037c0fdb4c

SHA256
6d82f2fc1fb5460f0fc37b3299144adbaf24035292f998c9ca7646eb5997500d

SHA512
314f4764067729f95847d9464e788d23b6338ff912c90ef5dc79c4643ee5fce45fd5efc593f8964a9c210ee77b36c6dad74f5a3ddb43877b0981e70fca9e5ec0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

Filesize
577KB

MD5
269b5fada229b25112cd7279b8d2f6cd

SHA1
3739d1dd600c4a6a8e647c921011bee4e8e0a91b

SHA256
3871b8f38893de398c208ef371c4ec1d2ac9db0cf4970a886bd50ea8e0fbc587

SHA512
b9cc949321eb300d59865e7024276f956cf7fcc546ed48d9424ad2c56593b72062d4b34042f14533b7836e0f6b0bace6c904a8cc5668d96e47efbe85fe312a33

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

Filesize
615KB

MD5
bb0c0369222902186ae68b9c205dc363

SHA1
4c7a432f76c27a0be746ad867acdd8f7e7d4ccb7

SHA256
447b2f323cc7b057dede5e10eaf3bd14a97f8db9475aa39f34a6340b727bed36

SHA512
f7c524de1863332b13cd451fbca412205aad5b38405bebb3e645d94e35f908d20e837675a256a1ec289c963fa7b9b3c9c8f5545001a9e63b6d9e632e0a96dc11

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

Filesize
577KB

MD5
427921e7c690adbaa51765493abc2922

SHA1
45dee89c6b08170d533679b0c5c76a5d9e43bfe2

SHA256
1f61da585bc1f4d9d47a59ea9fccbbc523979f4bd4e6afa7deaef8de2cdceeea

SHA512
c7327c99cd27c1a8d91b0a1a0ddeb959b6c4655fb0c7ac926588f4cd699a58fd10b6a84ed4a2e5debf588bbcc75e58c31891d45e6b97b199eebb8528a3697224

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

Filesize
577KB

MD5
26a66820c59726e6e336c21b1a2bffe1

SHA1
685d661e282b836558fa93767c10fb678fa875b1

SHA256
2a46c03b30e6eaa5c1a59a36002d925ca2dbfba7b9f3d54edc19f53d81d6b274

SHA512
9c729f3a045ae0b3339a5c211eca7209b3a03dac3133c157c0115d1f9da59b01ee8816133ba3b626097ed30d51e02b009114b8c6a3f39c6a27d9313f0a387bee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

Filesize
577KB

MD5
ec600efc66f2ea05461ea752ef199ab8

SHA1
24c19676c6b9392ffa6f9853538376182ea45b66

SHA256
fcc3dcf19495cde31fc040e532e7c53fed95ba9a113326dcf6c154b3a7765bf6

SHA512
5b2092881a2cd10239c675e890524b66cc2d0b66d0606f3a83958d5e69bee9f934a9a77df744336a96cb7e998af7f561fc2c1d0ca337949f1c46222004c079f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

Filesize
745KB

MD5
4f22891f142182ff1b12224a21db05a4

SHA1
2c88cf6f6b01c50944b92828518ae4a99cc2182c

SHA256
fb941cd4ecfa4371f490a5efcbce106f7179f49d3e268b2f261dfc004816b5ad

SHA512
9f31c77c1b6a3a1abaa642695da4dcdd72e60a9eadb098cf0d64e11dbe140454e3a4087f57fe22033ab5baa820e5f771d5be9ee49d1a3fa80ebe40f5da33b64b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe

Filesize
577KB

MD5
f6a62a20fd71a940df0adcc79c0b9931

SHA1
0266bc22b5dde7c69cf28019b09e802cb8a6fd23

SHA256
896ae81644f54ad7468e51fcbfd30b4e586f73698a27df450786999ff4d76785

SHA512
2fd2ec513af469b3c36060bf7deb5c2cd05fe1347d0eeb6397a3aa6f81875e4ca374c4b0c43b9656ce27073a34015c351b34b2262284ccd1982182d5769fb8b4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe

Filesize
577KB

MD5
4a8a62e1d6001523ae79b8c4499cfa09

SHA1
36752faebd1fbe89bda9e398dd438c1413c4bfb8

SHA256
afcf52a7fb05ed82e18928bf4c03682626c6bd3282d39708f944ecf8e5853732

SHA512
d6640b4109cea79993077d1de9107160f59b20929110c56292eb8b4e5de3bd3bdb16a188d69811fa48b6a83d245fc5e331e581f5056b3f5897bcd25899c8deec

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe

Filesize
639KB

MD5
89a56a92f3ec7ebd574c6d6b1d487555

SHA1
53ae4b89a9665f157bdbde0daee66ba492db1c99

SHA256
185c460eec13731c52807a56354291d69023e775a989fb595e334ea529f0a21d

SHA512
a4549f08a81cc2147450e8c28730381db617257ffc9a70bda353fa39b68f1046cacdb0788c8104062032e7e4ddabd34c3cce30c7acce1ace6dac32ed2d90327b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
8cad34cdf1a9f7624ac8cf54748a843c

SHA1
05c51af21c5ec836471b5d23f3f48d07519a0990

SHA256
c27a5a9d9f9cacfd338c526639e53689956f7a5af31a1c395000e31470f7edad

SHA512
22aa1abad0b0aab4057cda85502d1c79d8e0c029e7f91be1eb183beba79fb626a2009c6cb01b29282cca9b28f76620b12b98519363de3120e304caefe7d80c81

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4a74589f2e97d9ca2f6415def77adf1a

SHA1
968f7a340709b5b9c6620bf48a7e83a8db766e46

SHA256
9a3c7362ee334a3683bed48d1e97b0b0b63c4ae5979b9667f3af998b2431cebd

SHA512
8537b0ac41cb85e0e16355052567657632e30d4ebe17fecb8088de65f5bdfa2c08f1501743ae5aa1be280c549f01f75c005986acc7f5cf19d444b257304813ff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0bf19ec55afa0b1e61482ab2e4f30bf7

SHA1
c4969a8762dfa198fd3b483c5a49a6221d700f90

SHA256
d8eccacb985fbe5a7022b0b751994af1551b9697de26c92f6b88ad08851d5100

SHA512
190b946f04bd9371a8a60ef3cde04258c5db28c492bfcddeb35669877b154780e793dcd3175bc4ea732f2ad860f35ed8704a598a0aa6e73d6363b8f3ba72a5c8

Download Submit
C:\Windows\Temp\Cab242.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar29C1.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

Filesize
105KB

MD5
d9c0055c0c93a681947027f5282d5dcd

SHA1
9bd104f4d6bd68d09ae2a55b1ffc30673850780f

SHA256
dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

SHA512
5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
1.0MB

MD5
598a06ea8f1611a24f86bc0bef0f547e

SHA1
5a4401a54aa6cd5d8fd883702467879fb5823e37

SHA256
e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

SHA512
774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\03653ea19aa91d42de7bcaf71859530a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
bc93391466b70b8c787809e8491a13fc

SHA1
d44a3ee9861311371519d94599149a3fddfb6d2a

SHA256
50c24ee6ce93bde7ef7eb29983d011ad0c2c8277605933b054005b1b929ec66c

SHA512
2dea5caead99e51ee2a64134162e734cc4cc13867a9922b232ceb7127b80cb5598e845f3cc39fc1f04a9b83d7e86086b2f23bafaae47d9134451aa9eff53bce4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2e01b0c39a223f84dc496d1505ca392b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
1ffd53f92aa4c0770939a148edaa72ac

SHA1
e4aa91ad60c2bb8f6ce71afd5e01f268acb80523

SHA256
a1e8321e5a866ef3e231cecefe52d052aa5669a61ca8785ac5e2d57f04c3ec43

SHA512
5d72b533ed501058dd3068800c28fbf2efba1dbcccee410b0f39bdab036614653e03a15dba555261d2bb61a278b656487c8151325e2a7b5380794d473d4e8e9b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5c13ee182d68968e2d3cfa6ef3f35c7f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
c2a10f9d2193e6c1acfde545eab66079

SHA1
ad6ccb13302b1058a9377725fed2fd91cc1f571b

SHA256
c9e8044b0d57fb9b2df526eae34885b86c7fa89f025d13d8e7a81f42337f4fdd

SHA512
21437f74fcc3bc84527523afea12f4e14ab6d1fdd4fe92a594600b152b1866a46650b533635231644e51b3b6c5f97141a25602709edd0a1c944f8cbbbf0420bf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e2ae165f4db04e5b84c7cdd969007064\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
cb531d693a1e349b10c0bb79d5e84a9b

SHA1
159b884a93a5529ddb8a60020263b221557a41a7

SHA256
e51ef60e50cc571aed65ece4f93a4bf503412eca80ee158373d923bcb1266380

SHA512
5005a127af7fb40dd54fc3c173b2f9ac1b275c827a8718ad59e88c1b36fa15be8c18c6296821d99bf23a412c6c3e55f5aedd5d7ac6a513e4426b28e8621f0fdd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
10b6fb08737ee975e4ad4fd9de0013fa

SHA1
df313e0726321a3e179e491492c1508d9a18976f

SHA256
afb95eee00b7c1c8884e3b020d77e52bab067c5b628a20b8813704746d1ef910

SHA512
ff246f0a248fb9893e22f2886e84168388e35c9e94b7db5ceaf1a76feece6355ac5a39fd9176d117e616d4574574914b148c7ce750cccd3ddb5570fc7e6128ef

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
14de299dc2af047e3dea5b0591b69ab3

SHA1
e818ef5b3ecef71beb7fbd19ee0fb7b02a997baf

SHA256
3d27b97e577b71f2a0a074cea70a89ac325f48f79da12ae0df218795fbe99e74

SHA512
526fd1044ec8604e8902755ac2255758a48344cd6d1692c3a1cd70b472aeb0ca484f28ab2747a7f3a4eb000ffe81c0e913d5804e97aa8d83c3bf4f35b01d35c0

Download Submit
memory/328-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/352-634-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/352-638-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/588-700-0x0000000001880000-0x0000000001898000-memory.dmp

Filesize
96KB

Download
memory/588-706-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/588-699-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/588-701-0x00000000018B0000-0x00000000018BE000-memory.dmp

Filesize
56KB

Download
memory/588-702-0x0000000001A00000-0x0000000001A1A000-memory.dmp

Filesize
104KB

Download
memory/588-703-0x0000000001A20000-0x0000000001A3E000-memory.dmp

Filesize
120KB

Download
memory/860-463-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/860-486-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/892-76-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/892-69-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/892-348-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/892-74-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/928-657-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1100-659-0x00000000018D0000-0x00000000018DC000-memory.dmp

Filesize
48KB

Download
memory/1100-658-0x0000000001890000-0x000000000189E000-memory.dmp

Filesize
56KB

Download
memory/1100-670-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1100-661-0x000000001AD10000-0x000000001AD26000-memory.dmp

Filesize
88KB

Download
memory/1100-660-0x000000001ACC0000-0x000000001AD08000-memory.dmp

Filesize
288KB

Download
memory/1256-578-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1536-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1536-580-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-375-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1604-371-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1672-698-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1672-674-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/1672-680-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/1672-677-0x0000000001900000-0x0000000001916000-memory.dmp

Filesize
88KB

Download
memory/1672-676-0x000000001ADF0000-0x000000001AE38000-memory.dmp

Filesize
288KB

Download
memory/1672-675-0x00000000018D0000-0x00000000018DC000-memory.dmp

Filesize
48KB

Download
memory/1672-679-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/1684-510-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1716-280-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1716-292-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1728-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1876-94-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1876-99-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1876-101-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1876-370-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1940-355-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-369-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1968-356-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2016-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2020-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2020-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2020-8-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2020-1-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/2116-396-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2116-407-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-448-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-475-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2232-635-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2268-431-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2268-443-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2292-334-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2292-345-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-538-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2304-549-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2348-717-0x0000000000F30000-0x0000000000F48000-memory.dmp

Filesize
96KB

Download
memory/2348-719-0x0000000001B80000-0x0000000001B8E000-memory.dmp

Filesize
56KB

Download
memory/2348-715-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2348-718-0x00000000019C0000-0x00000000019CC000-memory.dmp

Filesize
48KB

Download
memory/2348-728-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/2348-723-0x000000001B250000-0x000000001B26E000-memory.dmp

Filesize
120KB

Download
memory/2348-721-0x0000000001BB0000-0x0000000001BF8000-memory.dmp

Filesize
288KB

Download
memory/2348-722-0x000000001AD60000-0x000000001AD7A000-memory.dmp

Filesize
104KB

Download
memory/2348-720-0x0000000001B90000-0x0000000001BA6000-memory.dmp

Filesize
88KB

Download
memory/2360-388-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2360-384-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2376-295-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2400-321-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2400-308-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2440-536-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2440-533-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-408-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-419-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-442-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2496-446-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2548-42-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2548-43-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2548-49-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2548-300-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2584-64-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2584-66-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2584-333-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2584-58-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2672-271-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2672-30-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2672-35-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2672-29-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2704-80-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2704-92-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2704-90-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2704-86-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/2704-79-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2716-111-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2716-20-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2716-21-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2716-14-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2716-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2724-318-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2724-325-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2760-383-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2760-113-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2796-487-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2796-488-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

Filesize
744KB

Download
memory/2796-492-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2924-423-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2960-453-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2960-579-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download