1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
Size

1.7MB
MD5

c16f86882d5a102ed7a0fbbc0874d102
SHA1

4e3ac7a53f0f368b9218bf717162d5e073a0f7df
SHA256

1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81
SHA512

90b7aac54467b266a9dd9ce7c83a156d3d99f7aeb1ad0e3e2ef5516b38270112dae07892e3e80765c3508484e3ee66e7439db0512a63b48f64e6b15e83285f67
SSDEEP

49152:Cjt17kLz5P3mucJZCliSAbFXHrZy0HCxgdjmyZ3xog:AjkLlP2bClDC9Fjd

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot = "C:\\Program Files\\Greenshot\\Greenshot.exe"	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Greenshot.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Greenshot\is-7F3P7.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-MOQVG.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-E5NFB.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-VS0I8.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-GBU2L.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File opened for modification	C:\Program Files\Greenshot\log4net.dll	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Plugins\GreenshotOfficePlugin\is-N02AV.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9RFES.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-9NAT2.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-7M2LB.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-2DTCV.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-RUK51.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\is-DNB4C.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-AB8VV.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-GU7CG.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-KVMGA.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Plugins\GreenshotExternalCommandPlugin\is-J2DM7.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-S7CA1.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File opened for modification	C:\Program Files\Greenshot\Greenshot.exe	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-N4303.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-QB2Q3.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-R3J8N.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\is-4M0CC.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\is-TVSNR.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-90S7V.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-C6P1Q.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File opened for modification	C:\Program Files\Greenshot\unins000.dat	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-CT6J2.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-21KD1.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\is-RF51O.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-L35EV.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-PARBN.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-HAKG4.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-0PV44.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\unins000.dat	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-1J5S7.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-09I75.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-GNJR4.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File opened for modification	C:\Program Files\Greenshot\GreenshotPlugin.dll	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-MELNN.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\is-6T8FJ.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-EAONS.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-2EIFH.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-AIRD0.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-CU7IJ.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-14NII.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-OUQFQ.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-VR7LV.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-87DN2.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-5VMVQ.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-TGBFC.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-USQ91.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-BG3IE.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotExternalCommandPlugin\is-O35QK.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File opened for modification	C:\Program Files\Greenshot\LinqBridge.dll	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-MUT85.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\is-SKFEG.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-H1IKF.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-VR7AK.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-0TK8L.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-BK9R5.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\is-5T29O.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotOCRPlugin\is-VIKP2.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
File created	C:\Program Files\Greenshot\Languages\Plugins\GreenshotImgurPlugin\is-G7DHN.tmp	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8DF3.tmp\Accessibility.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP36BB.tmp\log4net.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5791.tmp\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9e4-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\GreenshotPlugin\169ba976252c896f281f785e22029e07\GreenshotPlugin.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP90A2.tmp\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\27c-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6E17.tmp\System.Windows.Forms.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\132c-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fb4-0\log4net.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\738-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index12.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ac8-0\Greenshot.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index19.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2E3F.tmp\GreenshotPlugin.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3A45.tmp\System.Configuration.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Greenshot\5f6852d4a5e9151aefc143b3a002e542\Greenshot.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6973.tmp\System.Drawing.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

Executes dropped EXE 4 IoCs

pid	Process
2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
1616	_setup64.tmp
1748	Greenshot.exe
2528	greenshotocrcommand.exe

Loads dropped DLL 64 IoCs

pid	Process
2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
2760	mscorsvw.exe
2760	mscorsvw.exe
636	mscorsvw.exe
4908	mscorsvw.exe
2376	mscorsvw.exe
2532	mscorsvw.exe
1848	mscorsvw.exe
4020	mscorsvw.exe
2376	mscorsvw.exe
1904	mscorsvw.exe
3960	mscorsvw.exe
1904	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4540	mscorsvw.exe
4540	mscorsvw.exe
4540	mscorsvw.exe
4540	mscorsvw.exe
4540	mscorsvw.exe
3212	mscorsvw.exe
3212	mscorsvw.exe
3212	mscorsvw.exe
3212	mscorsvw.exe
3212	mscorsvw.exe
3212	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4920	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4960	mscorsvw.exe
4112	mscorsvw.exe
4112	mscorsvw.exe
4112	mscorsvw.exe
4112	mscorsvw.exe
4112	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
4784	mscorsvw.exe
2800	mscorsvw.exe
2800	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\shell\open\command	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Greenshot\DefaultIcon	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\shell\open	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Greenshot	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\ = "Greenshot File"	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\DefaultIcon\ = "C:\\Program Files\\Greenshot\\Greenshot.EXE,0"	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Greenshot\shell\open\command	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\shell	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.greenshot	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.greenshot\ = "Greenshot"	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Greenshot\shell\open\command\ = "\"C:\\Program Files\\Greenshot\\Greenshot.EXE\" --openfile \"%1\""	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
2632	msedge.exe
2632	msedge.exe
1140	msedge.exe
1140	msedge.exe
3716	identity_helper.exe
3716	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	Greenshot.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1748	Greenshot.exe
1748	Greenshot.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1748	Greenshot.exe
1748	Greenshot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2580	2292	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	84
PID 2292 wrote to memory of 2580	2292	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	84
PID 2292 wrote to memory of 2580	2292	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	84
PID 2580 wrote to memory of 1616	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	88
PID 2580 wrote to memory of 1616	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	88
PID 2580 wrote to memory of 4488	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	90
PID 2580 wrote to memory of 4488	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	90
PID 2580 wrote to memory of 3076	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	103
PID 2580 wrote to memory of 3076	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	103
PID 2580 wrote to memory of 1140	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	121
PID 2580 wrote to memory of 1140	2580	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp	121
PID 1140 wrote to memory of 808	1140	msedge.exe	122
PID 1140 wrote to memory of 808	1140	msedge.exe	122
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2008	1140	msedge.exe	123
PID 1140 wrote to memory of 2632	1140	msedge.exe	124
PID 1140 wrote to memory of 2632	1140	msedge.exe	124
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125
PID 1140 wrote to memory of 3700	1140	msedge.exe	125

C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
"C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\is-7TPIJ.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7TPIJ.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp" /SL5="$100060,1293027,131584,C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\is-1B0QU.tmp\_isetup\_setup64.tmp
    helper 105 0x56C
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\Greenshot.exe"
    3⤵
    PID:4488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:1680
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 298 -Pipe 2a0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:636
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 270 -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 254 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1848
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 284 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2d4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:3960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Greenshot\GreenshotPlugin.dll"
    3⤵
    PID:3076
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      PID:3704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 1b8 -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4960
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 288 -Pipe 1c4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4784
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2844
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:3784
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://getgreenshot.org/thank-you/?language=en&version=1.2.10.6
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95b0946f8,0x7ff95b094708,0x7ff95b094718
      4⤵
      PID:808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:4676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
      4⤵
      PID:5060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:4128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,379250593535682818,9819771970125988032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
      4⤵
      PID:4632
- - C:\Program Files\Greenshot\Greenshot.exe
    "C:\Program Files\Greenshot\Greenshot.exe" /language en
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1748
  - - C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe
      "C:\Program Files\Greenshot\Plugins\GreenshotOCRPlugin\greenshotocrcommand.exe" -c
      4⤵
      Executes dropped EXE
      PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Greenshot\Greenshot.exe

Filesize
515KB

MD5
346d22939e3079901f0dfac7add71c94

SHA1
67ea9f4f56c7c4189745aab05c614a6e615d9e7e

SHA256
fdc3900da9cf5b4b7f4b461eb54f2f7abf2af104de8bfdd0b7f6a46f092f9cc6

SHA512
3d845aee807f6fc711f212229595ba2dfeec760c649b7b0f4398cba8091fab8eb63dd551b46f49840a2de2c2b872130b4b5e90f95ff2757381e96be4b066122d

Download Submit
C:\Program Files\Greenshot\Greenshot.exe.config

Filesize
423B

MD5
607cf0cb207fe62914afb1d252002de5

SHA1
7e9979e5244f6cd3640cf5bc429c29ea9f80c656

SHA256
e1f91b7391b071117b03be8e8a21fb644e83a624bfa9ea76a4389e8f2ea7027c

SHA512
552c0b846b8a9a487aa27a9158ec01dc35f47f4cf932540adbf3bebad34ed85422213e73ab9f826648d9340ab0d867eab71d23c4b7b06ca1f0775aab9683d096

Download Submit
C:\Program Files\Greenshot\GreenshotPlugin.dll

Filesize
447KB

MD5
9ffceb225f44cf2aeb6fbb51c77fd12d

SHA1
3658d7ec2f0de037f909d59c8a51783fa2ec885e

SHA256
697f06fe82a419c2a32d5f8819ff857e70c2052e253389780469ce114bd8efe7

SHA512
8ba2910c71b347eea24650b996bc26dff3393c0416be0ac8a6fb6014cc61a9e705e770bc9909c2247dae025e1c13738c9a4f249ef9414ffd8ef668a4caa9eeb1

Download Submit
C:\Program Files\Greenshot\LinqBridge.dll

Filesize
72KB

MD5
8786edae35ac469b8a80e443d387e968

SHA1
cd51f58c61c8c8a8ebd4428f6a2e4b98a446c215

SHA256
e9d98dcf877357127db02dd36d2a0c6eb6c8561ea802d910b6a9c62c75243e94

SHA512
ea0074b3b0ae46a8c9faeba13305147748104787757b5c78e1915be73d5a33e39f108cca2c5e6c70e3b0f76f3a6adc7365d3a14afd16de198201a7f31e245571

Download Submit
C:\Program Files\Greenshot\log4net.dll

Filesize
216KB

MD5
c10193a05427df7e422abbbd733e059e

SHA1
d8db7f68218bd39c0e758fcde4a7c0f18ce1cb81

SHA256
b44c644dcb302ef0fe827a40f947c68e689cb20a162defed655599e90a47fba6

SHA512
12ec16a5127deba51e5e35b63645f7ba710cac146d4969b35545f0aab01ed3f9d32e887fa6b5187195d65df9b7a7a7da8764bf0e5a69887a2002c0b8a0c7a13a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_1151833BB5788BDCAD7971E54EA7B930

Filesize
1KB

MD5
71feec58a2cac9189a3fa5548b302a9f

SHA1
9743340687059f5908b9426980a7e96bae0ea036

SHA256
007cb73de9d0fd0ac368ecae78959ece0aeda342116af6fc3ec989d79970736b

SHA512
6d374d4a71797373db0226a0e33f5d0b38f8b8e61ee15bb048b0b51ad9c9c09a574ffac5b4fe20d4dd0a0602284ea1364ef44b849bd36958dff1bac2b1e2a1d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A242DAB82C3A2C6C33F27A249ED66F9B_3A4623EECFF4D613F73B7619BD57C837

Filesize
1KB

MD5
7e0ddf6f190b052d6895091a3dcd8116

SHA1
ad5a19008cac0cef33cf081c89c8ed011ce857b5

SHA256
4b6cde5340acf35c4e9c1fb6feee4fc38c837830bbe526a3367fc1b3fffb47c1

SHA512
cbda87ee8680dae231b94983b557b4d2cd59f4538c7fab844e0728efed8d59f6b8506286d7fdb757c2f4b37307adca4b37b1f6a0b35d1da704961c919ce0ac69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_1151833BB5788BDCAD7971E54EA7B930

Filesize
412B

MD5
ed236a22554adb084276ee9d337c446c

SHA1
fe8e3dfea813d1c13c1bba8febe87d7d465b06b7

SHA256
563fce9a5265a3043b6ee96dc3b0c8e7b1e67c1e4cccefa0ac6b9ff6078abf27

SHA512
a1555c379b01f16e03d0cc3cb3a6b7fa7bc988874dcc987543fd724393ee589f69a04fdc6f42577d8edc6cda46ea9854325c22b28d579bb4df9ca4f018a827a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A242DAB82C3A2C6C33F27A249ED66F9B_3A4623EECFF4D613F73B7619BD57C837

Filesize
422B

MD5
bf14ead2391fff8842f564ff06870ab8

SHA1
8f962cf64d549a8f355d57096ebf8fea01663fc4

SHA256
22dfef4c31464c86dd31b21d1bd07686d9d025f79e59ba1136c374b24a6e756c

SHA512
2c8091a915adc258f0495db41d48d8c90ae221e26e90704cd1385b53a5c253e241e35752b2ea913140b9780d6c67530b6bb9fa57f3c0559edd5e3ee7b54c6a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
b348f029ae808afc2e0d1dd6c4521113

SHA1
0aedd22fed2b979bd5ebe65182f667d0f24d7de1

SHA256
68a644f33c67bfad58ff98876a2b128e6b3a07f6188bd43b62f584a76ebb85b0

SHA512
5f57028d5716b473121cfabdc156e9245ea5bd4a4ac4a56a1b0e3ad40f3f3a68b3c0bc0a87155488d9e890a521b1025bf1c0b8f4fec8f7674c3fb1ef21a7438d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ab92c35347e81d1edc540e89b68f2231

SHA1
d0dd7d7f2d33af91b8e68a113751cab39695bb01

SHA256
526226b9991c21ed8bafd01e8f64c88baafc3fa3335f8d15844ddb7a9d6dcc2e

SHA512
58914d5e5d9505604e0713b4bb16aadf744fb51fa59cbd046549aee9728ac97456c4468e4b2b35803471cba0c2aa07b47d2f2d85244bf233df5af05bb9b66326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
28a911cbae68e8d413a972da4f67a89b

SHA1
ce3d13150c2b9af726f4d6c181441dbe1edb5414

SHA256
0635b9f211fe84e7af38f711bef124be3d1a84c212fd0a4087d7dba9c7a89314

SHA512
8abe4d002ff33567af32280773b0ff4093715a645d0ce0c6612a30b5d48e143d0e1c7cce5051b4cfbc31f3cad1d4439a353933ca3165b84dbc08d19e584898b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51057cdf4e304c98bba67cbcd7ab6f79

SHA1
c040b4c0177bd4146aaeb41432d52f5964b0bbd9

SHA256
06f836b512d66970ed78bf211331ec2b510bcc4a6927de6fd0b04d9d10775fb8

SHA512
381f199740d87c776152fc5433be09dae5de9647af7fc79e0286dd015f6c71f98bd560587915836697cde9f223e99352eb6e118b766acb496c8bd5ab80305044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bec7054a95b396ec1a8ffc8653b41b31

SHA1
22d0aa2395b053cd76bd41267c6c447babdefb40

SHA256
ab227561fe1a21231a23d8cb5e169dcf7e61ae3107d6dde78ff8e230c669b268

SHA512
419cd172f90b29dd50d87d7d7e5ab67f26506e9d46c5e9c29090ff8a1a87995c2117a32681fdea37bb5538efa8d9d136171bbfd83034efffaf072501c06a3dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
fa8db0550e659785a0a21637d43e5d15

SHA1
af0b0046193e002e1e5b950d73ca0699f64923f1

SHA256
6c373521267094e085ea9d3baa9ba7b7594f9dccc1d8b278e0f10d2a7558fe52

SHA512
84d32214d1cacdbb10da189deefb89f794918da6932306e29c5bfdd4e591007431263b443912689946ff1284454536adccf0b53b0074464f60a38d3c0724da59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f7f7.TMP

Filesize
706B

MD5
60db4b383b2245afcd22869573711a66

SHA1
4a6a1f13ce55ff460cab49272a37eaf9da1aa46a

SHA256
68252f09648bc244f681c1d6ab6f8105b346118a59fb964739d8de1d9e3d83ac

SHA512
f1935c84f11e88fa5b87d3895e75bc7c727a046a38c1c1696d41a803c814f67d8f63ed95193870fc1499204366093265239106c296162012dd324e3a2a5ab2a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fad9140ca003cb4a355b4b98389793c3

SHA1
31f281bc2fdbb1d59593ca0f4e79e8ef81f09c27

SHA256
422b3bad3bb87faf620414ef5c1c886a791e80cbba89d0a7d10cedc2c22d18d5

SHA512
ff363b281dd585ea342fee402cac7dcbacd0dbae0ee55d1f7e781adc785703d685e752969864d81d10c1261a6cbf91c4c4c83a2c7e1d1a354f5e718ceca6d301

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1B0QU.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1B0QU.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7TPIJ.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Filesize
1.1MB

MD5
d1a078992e232919ea834226aea627a8

SHA1
53f5af8c06721ef5b62f56037e3b57dc4b517eaf

SHA256
655da9c7f64ef8f0f48160c76b8dc5443aaba63e8c6b3534a266e9cd5a18489f

SHA512
e056370322e58725961c024d1f322d31066bffd8b8d77f80fc14d2b5861788ef00e5ebc3fa6f51a6b0a94bdb02e8fffea48926716275754dd77bbe0fb8e221f8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\c19a7a7adf0d77544aeeeae1e7f3dd99\Accessibility.ni.dll

Filesize
77KB

MD5
e34e4b385cd2277080d73902f59ea692

SHA1
6d6efb23cabe263d67e951fff91bbdb48c78056a

SHA256
bcf3789274b016b735d0d3eadc610912b9b0c032ca446d95cc33eedc727966b0

SHA512
4ae959826b4970ea1fbb159c71dc849f4b295d49d3b996ceeb1dda95d6bd41e222a03af33aa297f24feb9e1328664cf4b11e89d68410ef75e94bd1668807aaf9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\LinqBridge\25b4aa56a4fefc5f57ec698b0d3d1ea3\LinqBridge.ni.dll

Filesize
746KB

MD5
c6d1307ea9fd7183625c0e2ee377059c

SHA1
151de00fc11103a0abd6c7dacd6adc0de863c330

SHA256
5fe58b194c7da3be4ecd51f049a120b101c5d4fd699365c1c0c97505ef6b59dc

SHA512
f6ad12d1a836c1655fae65da48c230542bb5f15b06c24cab5a8fef26cfbf8e4bed62b42afc472b49c1c9ea482007c9d49ba7be7acd4b15a31b66192a21adf818

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\8cc6d7fa85bab2e1c74909bdfbf0e0ba\System.Deployment.ni.dll

Filesize
2.2MB

MD5
959ad404fcec8e0c31dc6114a05a1209

SHA1
25abbbbb307fe063b05b878887ddf4e2e7c6c137

SHA256
1396d15132be9c06267bc1c6af4599c70de28664df95d67ca5f47db4927e76e5

SHA512
117aa0259ee2595de42a98e0c7d28b0d6c5b0a4efb836b25cbc221768e1e2482fc317de8b2ecc518aae49962475cb0144638a2987ef6164212db69afdb455615

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\2f9efdc3eb510064e3306cfb866d7087\System.Drawing.ni.dll

Filesize
2.2MB

MD5
9410df01b0585798af6a7160aa6e7bb8

SHA1
fef0c3cfc15647cf3e58b1a79a397cbb016dd76b

SHA256
d1dd521563e2a72c242356b37596706400d7ff1ec1c86bd950726631b9f2ee85

SHA512
a6d90e09216ab258bbbbaeb7360a8685a1a88823983925092411af6fdbdfc3b3dc05a8aac7a3da3d1deac0382d13a48c097ae875a998c340746643a2f7d6ac1a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\fe8bea3cb0b5a25f64fd32a56fbe93e6\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
387KB

MD5
47b1f0c7b1c508ba0ad519f5f22a9007

SHA1
92e3508a82fed86bff130c81261000c21027741f

SHA256
d4f7e64f8a041a47fa8539eac1558c51cdee5dd1fd62eb3f0992669c553a947b

SHA512
5f3f40322eff38679cb195885ab8982ff6b100ce27ed00abfd7e3ec70b4ee68042b4c295370b156e458ce1b40d5a6f4ed2b6c66dcb483503b20601efe5a682c9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\c51b9699a4331e7a06aca7d313280a0c\System.Windows.Forms.ni.dll

Filesize
16.6MB

MD5
41403a721e377d4061af3c79c980da7a

SHA1
753738914cd20cf1205a1318bcee63bcb4eca7b8

SHA256
e1f0e664e41aba2b7b5cb4e9f408bda11f189f630304c0b313c6dd63e77e6b9d

SHA512
ef97ee2793608918f6750be91b59b9f4177d210c1f6d54b6cbe0187cc97b48778976989ae643ae95bb882605b39474c40859b42618644ec2315445778d943f94

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2E3F.tmp\GreenshotPlugin.dll

Filesize
2.1MB

MD5
de1b48f848674167538f9dbc90e0b250

SHA1
4075de5c06a9f2e797cc8e06c9202e0e9b7a99d3

SHA256
a7840d7e49d61934de653ed3073f3a903a8819b4b9f23562491f63c94296d427

SHA512
c1055d69d73918db9ce9bcc97b69a360e209f42c9e394120b9c80de5f0f556c1f9d4b79a73555a112d5dadeb9d3fb55a6082bd89fe560ac3a891695ee15857ba

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP36BB.tmp\log4net.dll

Filesize
870KB

MD5
31ffb5771eaac0894cd6fd3a42a75a02

SHA1
94e0130cdb62e9970dab0b7881db87438cb697a0

SHA256
748bbdf6ea1ef7f26d418eafe81425f0c924ac35f86e9cf2ea85d64be2c32bfd

SHA512
01059727e8167def6815966a32c0e0b7db4d339e5a0b8998563100ad13d24212e111e0041f751ffd56f71a3c812275db79c3a2e9546f499a72d3c5bcafd2c681

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3A45.tmp\System.Configuration.dll

Filesize
1.3MB

MD5
097d48009561b75c4d11b4a6d5fd3173

SHA1
ac4c4f0ae1769e01c6adcc284aa3859626fd6523

SHA256
d211f04db43ea60dd27862c9eb79c469058b99cffdaadba8ade8dd543daebbfa

SHA512
9d523db62dc353b1583287059ea5cedadbf460462d39bd05df1963afa2f4126174336efd2f7664942f6306e39da4853ad4e8629a4b895d96aae338d030962bb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3F65.tmp\System.Xml.dll

Filesize
6.7MB

MD5
1bef61f497c8fadde9252037321358f3

SHA1
073285903e8fe3f00ac96d90cd34304579507321

SHA256
b536f29fdaafd896a418a09e95aadbf060192b24eac7c756dc7c25860cf7fb8a

SHA512
77e6b4061e0944f2962094446e17f2b431d71a1517c71d2c2385aa45c6d6e6e1f13f8ce15b2e33151228f83ff94e61aabe7ccff204a989982a57c624b6bc62a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5791.tmp\System.Data.SqlXml.dll

Filesize
3.3MB

MD5
417455f60c847da77e04c183eaa6e86c

SHA1
90ea4534a5ff124304abd1b5f2528222fc5d88ad

SHA256
c6022e4dbd3d3436234517a15537cdfc85d9916de0d3e9caaa45ecdbe7f09966

SHA512
432793bf4e56378db8d8599e2cbff7da5c308fb8a21cc7e459bb8150eb9d7ba955b4333ff3c20eb1944e9ce35126283ba3d2f972e2adb38ce73b4f47840748a6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP65F8.tmp\System.Security.dll

Filesize
960KB

MD5
1f4c9ee0580e3f1e5bc3bc78afbaafc3

SHA1
0e6f8c67b815441a0b4dd350330d7e4787b0317d

SHA256
007075251cf40e660b7fc191200c4901b46bbd39eef32334a906900a8a0921ba

SHA512
992a15da93ba145052b375cf3978e9d7ca50bdc01cfd0c1afc3411c1b8d9efb96a71d2ace079f18ee23df75cf43f7f691ab7119bb55204db9f7b768da5aff95a

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\GreenshotPlugin\169ba976252c896f281f785e22029e07\GreenshotPlugin.ni.dll

Filesize
1.8MB

MD5
4f38b948a2928e6ca8217411623e7df9

SHA1
8f46ccf143fa7f7bcd2911835320d2fc2bb8f0bf

SHA256
b4905156d27705656f4675ed3ee305d89aa4f7ad2fbf51bd5c36cc3a14a1875f

SHA512
38775c661ca30f81c152549858596763be1c24ac528f26f4366be79a46f146bd0c919070261f1ffdb0e36ec696f49d2f87ac36f68cfbfe207e50f1bca1d2e1bb

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Greenshot\5f6852d4a5e9151aefc143b3a002e542\Greenshot.ni.exe

Filesize
1.8MB

MD5
ca152578d688c0aae3ba10acecc53190

SHA1
641ec3940a427e0d9b008f397c74dc49b303bd0b

SHA256
1b8a17813b58d834a0ce7fc53b070dd07fa78414607cebe738871021726c783e

SHA512
67454985032745d60616ee9c2765c1d5d0e59d930acb1790456ca558499f86283141687a93b5af9b7f7b268ce5a4bdc5d7f862184cbcbdbcc0844d22b7ea672a

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\LinqBridge\c57edae910cb6143ef6d7b1d57a24772\LinqBridge.ni.dll

Filesize
755KB

MD5
62051f89b286089a07b44d4aa092ac81

SHA1
d68e866d669265375c59af9d56062cdb5e0408ad

SHA256
0b883d276e6a0c2b703d5a5123059cb601a058707f59d1bf6806ac6f8bf3a437

SHA512
e7947262601d081fe59915522c300c8b9382eadb589e7f6e5190916c8366b312c81f37757e561cffab5068419a1405c92b9056b74bd0242ce62f4942e592e3fd

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\log4net\559f5afd8f41271e6ea0b94abf3b75af\log4net.ni.dll

Filesize
723KB

MD5
43adb69030dce9e992c50bd6690ae89d

SHA1
489e2d1b3dbc192f1e9d43faa545e037fd2702cd

SHA256
d23aab3b6ecd053963a525cd1cb6197bab7076b5cff61f7acea3287be436eb5a

SHA512
0b66f98dc9b60dc496821252d7fe2fb0a412d9f233d7e862ac439e38f7463aa34c7dbf4dded29169cf88eb71c50ead2575e4021cf53a901e968599a7c597ba81

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\log4net\559f5afd8f41271e6ea0b94abf3b75af\log4net.ni.dll.aux

Filesize
1KB

MD5
f1208a8db8f29e2658a29488df0eaea1

SHA1
f9d4a9974dcdf07260dca38e02d71f6d052284d9

SHA256
91be23bac9e2f57b12cc20e810c992c4bb585dfa3dec2319b0b824e8dd5c8af4

SHA512
3361d5c20859c3032718a63e9f142cf580a0a2e1fd66987e58bf3acdbbb85c8921da13b439c49c44e6dc426a61ae8d55d9ac02cf6605ef1cb8f941f508c147d9

Download Submit
memory/636-218-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/1680-200-0x0000018933740000-0x0000018933762000-memory.dmp

Filesize
136KB

Download
memory/1680-188-0x00000189337D0000-0x0000018933852000-memory.dmp

Filesize
520KB

Download
memory/1680-196-0x00000189339D0000-0x0000018933A20000-memory.dmp

Filesize
320KB

Download
memory/1680-197-0x0000018933BB0000-0x0000018933D36000-memory.dmp

Filesize
1.5MB

Download
memory/1680-198-0x000001891B5E0000-0x000001891B602000-memory.dmp

Filesize
136KB

Download
memory/1680-199-0x0000018933AE0000-0x0000018933B92000-memory.dmp

Filesize
712KB

Download
memory/1680-193-0x0000018933960000-0x00000189339D0000-memory.dmp

Filesize
448KB

Download
memory/1680-195-0x00000189198F0000-0x0000018919906000-memory.dmp

Filesize
88KB

Download
memory/1680-191-0x0000018919AD0000-0x0000018919B0A000-memory.dmp

Filesize
232KB

Download
memory/1748-649-0x000000001D7F0000-0x000000001D80A000-memory.dmp

Filesize
104KB

Download
memory/1748-646-0x000000001B040000-0x000000001B04E000-memory.dmp

Filesize
56KB

Download
memory/1748-648-0x000000001B360000-0x000000001B36A000-memory.dmp

Filesize
40KB

Download
memory/1748-647-0x000000001B350000-0x000000001B360000-memory.dmp

Filesize
64KB

Download
memory/1748-643-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/1848-266-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/2292-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2292-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2292-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2376-296-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/2528-650-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2532-251-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/2580-13-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2580-400-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2580-656-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2580-6-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2760-201-0x0000064488000000-0x00000644881DA000-memory.dmp

Filesize
1.9MB

Download
memory/3212-397-0x00000161F8820000-0x00000161F8A1A000-memory.dmp

Filesize
2.0MB

Download
memory/3704-354-0x0000024D43F10000-0x0000024D43FAC000-memory.dmp

Filesize
624KB

Download
memory/3704-346-0x0000024D43330000-0x0000024D433A0000-memory.dmp

Filesize
448KB

Download
memory/3704-353-0x0000024D43DF0000-0x0000024D43E2A000-memory.dmp

Filesize
232KB

Download
memory/3704-361-0x0000024D454F0000-0x0000024D455C2000-memory.dmp

Filesize
840KB

Download
memory/3704-355-0x0000024D44480000-0x0000024D4494E000-memory.dmp

Filesize
4.8MB

Download
memory/3704-357-0x0000024D44970000-0x0000024D44986000-memory.dmp

Filesize
88KB

Download
memory/3704-356-0x0000024D43770000-0x0000024D43778000-memory.dmp

Filesize
32KB

Download
memory/3704-358-0x0000024D451E0000-0x0000024D45226000-memory.dmp

Filesize
280KB

Download
memory/3704-359-0x0000024D452F0000-0x0000024D453A8000-memory.dmp

Filesize
736KB

Download
memory/3704-360-0x0000024D453E0000-0x0000024D45404000-memory.dmp

Filesize
144KB

Download
memory/4020-281-0x00000644A2000000-0x00000644A20B7000-memory.dmp

Filesize
732KB

Download
memory/4540-386-0x0000019BF7DE0000-0x0000019BF7E4C000-memory.dmp

Filesize
432KB

Download
memory/4908-222-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download