Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
Resource
win10v2004-20231215-en
General
-
Target
782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe
-
Size
1.8MB
-
MD5
2fedbdbf9d5823088ebc1fcc0f4a1832
-
SHA1
fd805c36a32b4eaa728c5f4af8ae7f3cdedca902
-
SHA256
782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90
-
SHA512
5e04da11c8ecd3b94707379ca43dca5c058f52e5b7fa75022a8c4d2abdd68c42cf896db596ef1898e25f3fac8ac55f53297d57951c7c8fe5fc105f45dbdf5741
-
SSDEEP
49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUaB0zj0yjoB2:1vbjVkjjCAzJSB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 55 IoCs
pid Process 464 Process not Found 2120 alg.exe 2628 aspnet_state.exe 1056 mscorsvw.exe 3048 mscorsvw.exe 2888 mscorsvw.exe 2868 mscorsvw.exe 1164 ehRecvr.exe 2416 ehsched.exe 692 elevation_service.exe 864 IEEtwCollector.exe 2740 dllhost.exe 2588 maintenanceservice.exe 3000 OSE.EXE 2944 OSPPSVC.EXE 616 mscorsvw.exe 1620 mscorsvw.exe 2400 mscorsvw.exe 1992 mscorsvw.exe 1756 mscorsvw.exe 996 mscorsvw.exe 1552 mscorsvw.exe 2940 mscorsvw.exe 2896 mscorsvw.exe 2880 mscorsvw.exe 2000 mscorsvw.exe 1176 mscorsvw.exe 2196 mscorsvw.exe 2568 mscorsvw.exe 2608 mscorsvw.exe 2436 mscorsvw.exe 2696 mscorsvw.exe 108 mscorsvw.exe 2124 mscorsvw.exe 1192 mscorsvw.exe 1992 mscorsvw.exe 2148 mscorsvw.exe 1884 mscorsvw.exe 2316 mscorsvw.exe 1736 mscorsvw.exe 2144 mscorsvw.exe 2380 mscorsvw.exe 2948 mscorsvw.exe 1264 mscorsvw.exe 1984 mscorsvw.exe 2876 mscorsvw.exe 1632 mscorsvw.exe 2320 mscorsvw.exe 624 mscorsvw.exe 1144 mscorsvw.exe 576 mscorsvw.exe 1372 mscorsvw.exe 1204 mscorsvw.exe 996 mscorsvw.exe 288 mscorsvw.exe -
Loads dropped DLL 14 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 1984 mscorsvw.exe 1984 mscorsvw.exe 1632 mscorsvw.exe 1632 mscorsvw.exe 624 mscorsvw.exe 624 mscorsvw.exe 576 mscorsvw.exe 576 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\567f00b3d795e6c9.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\fxssvc.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ja.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ar.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_is.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_zh-TW.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdate.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_et.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_th.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdateOnDemand.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ca.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_es-419.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\GoogleUpdateSetup.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_ml.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_am.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Program Files (x86)\Google\Temp\GUM4F48.tmp\goopdateres_zh-CN.dll 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8A26.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7C32.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8FA2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E325B4EE-DDDB-4C33-8689-DBD99AC0E306}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E325B4EE-DDDB-4C33-8689-DBD99AC0E306}.crmlog dllhost.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP81BD.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1980 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 320 782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: 33 2096 EhTray.exe Token: SeIncBasePriorityPrivilege 2096 EhTray.exe Token: SeDebugPrivilege 1980 ehRec.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: 33 2096 EhTray.exe Token: SeIncBasePriorityPrivilege 2096 EhTray.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeDebugPrivilege 2120 alg.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2888 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe Token: SeShutdownPrivilege 2868 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2096 EhTray.exe 2096 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2096 EhTray.exe 2096 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 616 2868 mscorsvw.exe 44 PID 2868 wrote to memory of 616 2868 mscorsvw.exe 44 PID 2868 wrote to memory of 616 2868 mscorsvw.exe 44 PID 2868 wrote to memory of 1620 2868 mscorsvw.exe 45 PID 2868 wrote to memory of 1620 2868 mscorsvw.exe 45 PID 2868 wrote to memory of 1620 2868 mscorsvw.exe 45 PID 2888 wrote to memory of 2400 2888 mscorsvw.exe 46 PID 2888 wrote to memory of 2400 2888 mscorsvw.exe 46 PID 2888 wrote to memory of 2400 2888 mscorsvw.exe 46 PID 2888 wrote to memory of 2400 2888 mscorsvw.exe 46 PID 2888 wrote to memory of 1992 2888 mscorsvw.exe 66 PID 2888 wrote to memory of 1992 2888 mscorsvw.exe 66 PID 2888 wrote to memory of 1992 2888 mscorsvw.exe 66 PID 2888 wrote to memory of 1992 2888 mscorsvw.exe 66 PID 2888 wrote to memory of 1756 2888 mscorsvw.exe 48 PID 2888 wrote to memory of 1756 2888 mscorsvw.exe 48 PID 2888 wrote to memory of 1756 2888 mscorsvw.exe 48 PID 2888 wrote to memory of 1756 2888 mscorsvw.exe 48 PID 2888 wrote to memory of 996 2888 mscorsvw.exe 51 PID 2888 wrote to memory of 996 2888 mscorsvw.exe 51 PID 2888 wrote to memory of 996 2888 mscorsvw.exe 51 PID 2888 wrote to memory of 996 2888 mscorsvw.exe 51 PID 2888 wrote to memory of 1552 2888 mscorsvw.exe 52 PID 2888 wrote to memory of 1552 2888 mscorsvw.exe 52 PID 2888 wrote to memory of 1552 2888 mscorsvw.exe 52 PID 2888 wrote to memory of 1552 2888 mscorsvw.exe 52 PID 2888 wrote to memory of 2940 2888 mscorsvw.exe 53 PID 2888 wrote to memory of 2940 2888 mscorsvw.exe 53 PID 2888 wrote to memory of 2940 2888 mscorsvw.exe 53 PID 2888 wrote to memory of 2940 2888 mscorsvw.exe 53 PID 2888 wrote to memory of 2896 2888 mscorsvw.exe 54 PID 2888 wrote to memory of 2896 2888 mscorsvw.exe 54 PID 2888 wrote to memory of 2896 2888 mscorsvw.exe 54 PID 2888 wrote to memory of 2896 2888 mscorsvw.exe 54 PID 2888 wrote to memory of 2880 2888 mscorsvw.exe 55 PID 2888 wrote to memory of 2880 2888 mscorsvw.exe 55 PID 2888 wrote to memory of 2880 2888 mscorsvw.exe 55 PID 2888 wrote to memory of 2880 2888 mscorsvw.exe 55 PID 2888 wrote to memory of 2000 2888 mscorsvw.exe 56 PID 2888 wrote to memory of 2000 2888 mscorsvw.exe 56 PID 2888 wrote to memory of 2000 2888 mscorsvw.exe 56 PID 2888 wrote to memory of 2000 2888 mscorsvw.exe 56 PID 2888 wrote to memory of 1176 2888 mscorsvw.exe 57 PID 2888 wrote to memory of 1176 2888 mscorsvw.exe 57 PID 2888 wrote to memory of 1176 2888 mscorsvw.exe 57 PID 2888 wrote to memory of 1176 2888 mscorsvw.exe 57 PID 2888 wrote to memory of 2196 2888 mscorsvw.exe 58 PID 2888 wrote to memory of 2196 2888 mscorsvw.exe 58 PID 2888 wrote to memory of 2196 2888 mscorsvw.exe 58 PID 2888 wrote to memory of 2196 2888 mscorsvw.exe 58 PID 2888 wrote to memory of 2568 2888 mscorsvw.exe 59 PID 2888 wrote to memory of 2568 2888 mscorsvw.exe 59 PID 2888 wrote to memory of 2568 2888 mscorsvw.exe 59 PID 2888 wrote to memory of 2568 2888 mscorsvw.exe 59 PID 2888 wrote to memory of 2608 2888 mscorsvw.exe 60 PID 2888 wrote to memory of 2608 2888 mscorsvw.exe 60 PID 2888 wrote to memory of 2608 2888 mscorsvw.exe 60 PID 2888 wrote to memory of 2608 2888 mscorsvw.exe 60 PID 2888 wrote to memory of 2436 2888 mscorsvw.exe 61 PID 2888 wrote to memory of 2436 2888 mscorsvw.exe 61 PID 2888 wrote to memory of 2436 2888 mscorsvw.exe 61 PID 2888 wrote to memory of 2436 2888 mscorsvw.exe 61 PID 2888 wrote to memory of 2696 2888 mscorsvw.exe 62 PID 2888 wrote to memory of 2696 2888 mscorsvw.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe"C:\Users\Admin\AppData\Local\Temp\782511bdd3d585131863546d0aee8fd6690e2e3ee39e7f1bbb7d39ef5ac33e90.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:320
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2628
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1056
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3048
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"2⤵PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 24c -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 270 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 264 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 274 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 1d8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 294 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 298 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 278 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 260 -NGENProcess 2a0 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 284 -NGENProcess 2ac -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b0 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 2b4 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 2a0 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 1ac -NGENProcess 10c -Pipe 204 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 254 -NGENProcess 1b4 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 200 -NGENProcess 25c -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2948
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 22c -NGENProcess 260 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1264
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 264 -NGENProcess 25c -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 110 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 264 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 278 -Pipe 200 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:624
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 278 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1144
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1372
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 288 -NGENProcess 264 -Pipe 10c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1204
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 268 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:996
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:288
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1164
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2416
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:692
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:864
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2588
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3000
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD563e554721515b377e9353367a835dbda
SHA17f1664147420520365fc025672e86a5836193262
SHA256e88946f52acdd0d0f431e2179d87b0540711ce6d7bbcae167dd98a1d18ed8886
SHA512460a727e3abe249b15c849833466c7dcbacc4d600dcd55ef7f37fac28402cb909413b5dcd7bbebe6d7288b9b62948f53d9ae43722b6bbc2cb69b43af45ce8255
-
Filesize
1.6MB
MD5ae9573e890e0d758bf5cbd55f14bb678
SHA1f540f8adcae94adccdaa623fb56189449f67a981
SHA256637f7a076afbb7652e1936b5aa3f373e14ffd3b8d5b2207969ffb7835596c928
SHA5124747d18374a8ce5b11e9c2f697259d4d936c9b0110e1433d4b4861ffabb8727ca85d618a5b75dce9ac7606b754772705e4befcd816d3fa4314b38ec388943eaf
-
Filesize
1.3MB
MD5227909306e60ed3052c44d4a2f9788fb
SHA175d6db5f2c18300716eaa33461a1ecd73f57e305
SHA256fec0be40709b52399c4608934d661539e299f0c98a0f755b2f03309f88d3912b
SHA512d19f918e0f8a3267d4d2589cc1e37b18a2dbc65e2edffa31343edf07487c7d565642a495d6710502a3d3fe5dfdc54bfcb8938f2f254eef45ff973b6ca33d886a
-
Filesize
1.7MB
MD59d895bca18107723aa939a0f5f304676
SHA1cdb5cf9d18e4cd2dc9e5ea21f3aa98037825d95d
SHA25669dbb8f65b98f4b60ef1f6e16c215318bfdb3d248ee17a16f9853686b86333fc
SHA512a9500f1cb0f081c422fc4df1adc4891b9bc68d5a9a43f6ca70faa70c21b451aa5fb01eee23b2237ad0a2dfff400aa9132511fde471cfb474a8fbe1e57419e535
-
Filesize
89KB
MD545765a413d5795e1fcd76a195b5b6166
SHA13a833c07b27f9d47de15ab203778431c1b120f47
SHA25663d641ea58c6b153c8cf1073e6b290b8739e4161586e78e4dbd20ad0ebc8abd9
SHA51212ac3983a1b35b971b8c36ec5e0b13f1f83cd690ad9bd6bebdbb98adcc3e0b6ab77a5ba1e9857d1520ff0d37bce9ca2c09f11da23b84f36175f38d50511423c9
-
Filesize
237KB
MD59a1d6196e8e88fc0588d3ad957c67fce
SHA1bd513048d191a26151f697e1e02199d1caabdc7a
SHA256c0f0f2abdd482864b56d8830c99b48884e38a4a4ddbc455130de049ccec2992c
SHA512492f6ca987f219b6656889a22de2e43da870802586800187d94026dd79cf3535ef5326d6f2fcb2dd14b7f43594b4febe4fe5cfac6566512a8775b87e333be03c
-
Filesize
40KB
MD5715a8a0f36962df4ba75bb37036b39f3
SHA18e21a4f5f3f381b8c3f48e0d8b600c80e9679a26
SHA2563b3b5d8e1b3b6a99a4403a3f5a39cce0f98febb147df2df28c474fcebd948977
SHA51261b01cd92d18a6433d0dc5a67bae207f1ba14b2354f2139ed19a63b5bc05b63131deb69b0528e70412741cecefcb9ba99ba95cea442d862c723c8cfb33d1d99e
-
Filesize
1.4MB
MD59b0d9fb49f3306c81416614e6e4357ea
SHA100954cf68c9fbe1b9cb1c29885202867bb209134
SHA256b8ecfb04bc0a3f70ca27df51e4339311a34e2bb2e0353eeb7b48aae5517b508a
SHA51275818949dc8bceea881069c981a2bcb5427b734ada4440b4ca46ff2b5de2e569b19a2557632d6236710b2c728346cac0e9b7f5d2c3e443d7059128b924589d77
-
Filesize
1.7MB
MD5b56004969cc24c6f24bcdd08f0a4d2fc
SHA1077660b17e971edb47e8a08da8a0c0b2b70721ec
SHA256916f92d301887729a905e0f06c9ad656e5a8319523fffe53b0fd7ab454346b6d
SHA512eede0a0df03f509697dcbe7e083efbd68ad4e589c7494f23a17b37b21cd5f81989eb91883a0971e2b4298398e2d02dd552d8445fa359cf0476cbd4f882cb9fa8
-
Filesize
1.5MB
MD5c2a145941313f80ccbb46125c458ebb2
SHA1aef5ca3031776b7de8008a930f235a69ff687060
SHA256315db0461fc169a8a9d976ff0b7782e97f7c7488d1ac29173ddb3d0320ef6937
SHA5125dd6005a8fa7667657e5ca83e337f46091a84fb9101bbcd8e000e531a366a0b4f47a852516b1d974c1a38f8fa9bd2708091561ab5d6e42a826d37b66c3ab2f18
-
Filesize
1.2MB
MD5cabe0038f0c6314786167f8941558a64
SHA174d91e1258c669b05750fd0a053ff260206a2575
SHA256e1aba6a16c8e61c9915e5ead49b96e8788045f70ef71f6bfa9b9e354b5d4e38d
SHA5126743eae8e5c93746ec236fa0b7d69cdb96d5ca2947e5a688c6a745ff1849befc7af44582bdfdf907a8bff02dd58f8a3f8fef3a3dea29a41b78a355a2659676a7
-
Filesize
1.2MB
MD5e6cd8a5f500a9c4fea24ce03042087ef
SHA130e7199473c4b601df6a5fe3fba897f8eec6bbdd
SHA25651e5d3a97f376ad68215cca265d69c574bc140d849ce2b1ae9579470bfb59474
SHA512c73c07091718b365b8bd239b249d8244edf8ec8cf4c1405c0d98769893bd1e0a8db739a6af719f78022a41219356ab42a1c2f71d8ebf1d683c0e15efbddeeba5
-
Filesize
17KB
MD5931eb99ff3e662c7b1fac807b946094d
SHA13fbfb1de9e2307aec38a192c02f6a85b384a4439
SHA25605a16163f38d19cc193aeac056deaba577a3d1da6807d8c89a7b4690e575c27f
SHA51200fc157831fdc341845c496dd1ce78e12ded6896de5267adae0ad78de526b8deb1dec2d521ec15a7fc87a7cf7a1f3b5ec6f1c1f03ba3234a7d8eeb7daadd0a8e
-
Filesize
100KB
MD5a73c2053db0a6da985e48f61472429a6
SHA1aaf5326a4c1ab9634b6e352619701affff4789d4
SHA256e5a774225a8aaafb26e136da79c0e10f17ae454ccf02fe4e9a802df85b4963ce
SHA5126c0ba40d34b7e1a704618bcb4ef00131f862c558e935513a0a1940724ed164ca8c00713fa4160a16f5755375373f60fee60691cdaaf37cd073da9580fb341a89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
187KB
MD54cc998fde77ea48c8b8bb4a983e4aa1e
SHA19ad9898437bcebce5b4172b3cc4977d91ebdecee
SHA256eb2a1a07f04c7f6ddf124c55633bbd42175b892edf818422b55301f647f8eee8
SHA512b022713157f83ae129c3f63f5d2869967362d53d448b79bbb5c92766ee8746b1091081e239cffb765a470fde936c54db5b5e992bac27cec71838a305c71fd89b
-
Filesize
187KB
MD557778ea4894ef21cf25df217dfb6de75
SHA1a27a82601051d8f437b7d7b7843487eab0f62817
SHA256be99d754e95a6b73b75f64356c9ad09a79c74398a667296b3dc9a041c03caafa
SHA51210462589cd59fd9e78ebb4f86eed0bfd3fcee2d1c68d0ad021ac8ffde6a4309bafc8d971fab4e66e0dad9b952e058b27dad369b188f0f5649133acca60927c5b
-
Filesize
47KB
MD593cb46d41386820f18e81ced54acef31
SHA1bc56f2dc1801fc0fa9dd288c1e021649b4a460fa
SHA2565ff1997adafd7ab8eaecaeea8791e033afaf13f4a0b4d84090d58cdbe40acf84
SHA51265b006697f56b72d8f35e110e0d41bbe5022c1ecd502d60b61c993e2dfe7cad718c5df2b9d7fd761305138513777252944c70db1522ed37610f5ac1d0024e48e
-
Filesize
106KB
MD5e1069287d58b889a9ca3823e932bead9
SHA1a3d015ea4979d121c047287e78134505326a4d55
SHA256e92ba7d8545c7b9c0e0a7cdf65fafa33ad580f56dd3549637fcb4435ad021936
SHA5121da0b4d613377df53703e9f877571ed934f0ec15634f065e6aea24a1af34256e18544e685be6001cdcea179a02728a7c418b708808213de8a2110ec28c72c380
-
Filesize
216KB
MD55e85a320d6ecde8b18677959b12785ad
SHA18d2b66db302b5a51391f18057e54d5e059051634
SHA2568222395536c29c4e947433783a0cda53cf7bfd0fff5e17e05c27e8bc761c6987
SHA51206e9961d9acb90b83a67aa0c04e28dee12387c271878e9e08070c0d54269f000f2057a3dec492196904905d22c8a38a50c04a04fb948b52297f7f1d7cffa94d4
-
Filesize
80KB
MD5b776d0e3ead5cfbfd1f5f0bf8e4dad55
SHA18e7610152b2be6eb57d9ec1f8070cc6cb51fcb82
SHA25695a1f7d725720a162ce129324858ec8d0a3818d4e24c701f423d9be7b021f81c
SHA512039941046b0871966c216fe9ce1de83d0c97a7fd1158185d873e5264bd1b170c4d28aa131036019042c12624f59296a9d4de78ccbfb8ec2d460a1655c9387dad
-
Filesize
159KB
MD5ef3a40ce1362d084ef65c591a5f3aa35
SHA1945072df483fe346289cb83f14c024b1e7a1ce74
SHA2566c143ca8b0ff78a29b440968905b94425b2740519ce8c733bcc8ef9d1bc5e2e7
SHA5125c92d5f4107bafc055461634e440eee39264af63870618a2b52464e9ec1ab94c7fad0a7bef78c7d98dd5070605d16ad51fcab845374c1bab392731d53d84ec9c
-
Filesize
136KB
MD50947ba7afb8e0c41301463b5499d9267
SHA1c9d0c21ed2a5da970525d79d350b73d5675513a7
SHA2568469e34cd1e3d62ae4f06ca4a5afaf09c9b8bd2e3eb7bdcaa8acacf856127db7
SHA51210a275be4980c63ce1a71c8bef5d457213996b766fd1bd601f54832c31f30ade36b085db89265bb37833baa27bb753f9bf883d74d01dc9177ce14f15144b2416
-
Filesize
8KB
MD5a738b62b5a9be3e7375efe7ce834756f
SHA1fc204a5ccc35a39eb4e81ebc71cc868bc11392cf
SHA256bddbfa7d4e4aefe53efc8a45f160d83cb1c74c7343e53c00730439dc0a927506
SHA5129f96c0dff0f06f30a62ac40b3a919df23ea4ebf95f83740a57e9541a0b147f0c0b66f29a450ab639b6cfd1aec7b811397be0616440ba35020a7047f0cd8ce6fc
-
Filesize
621KB
MD53589a7d9f6927bf5dda82fb50672417d
SHA122280b22f2b079b72f8adf464226a4b128827d4e
SHA256d1949df01c1a3162e893de7bcdc174e88b9e087dc25fb171f21c781f9eb955b7
SHA5121b1efc086360d35e10b9614427f2871fbc70c30f61522cf8f1995b80bc51ff762a3e740c6e3ea0431de104122320c50f08fb3f8e993d20dee2444eb3d7b665b0
-
Filesize
371KB
MD50ec7268e894d15c289aeccdd61536c6f
SHA11597f410ff8d83c35b34ee133a39f2fd9c919bf1
SHA2567ae2d54c8755a829435d10d3505d9a32d4e929ae99dc9382de1f7e2be38a8beb
SHA512288bf7df90d6ad84fd1c53f10665fe9922f62e1cd224b4ae170370abe4cb24594b6beaf163a950488275574613c898c64cbd2e47695f9a4c09fd6621c9da15b8
-
Filesize
119KB
MD5e00473af293e27e9d4d0e0762c5390a1
SHA10a85e7d8b38954814b1ded4463a93a924afde222
SHA256506d764a8466fd90428974df627d5fca00856722cd8e19c71a3e56ace1b0a08d
SHA5128ad35f94966eef6c19f890a86e4c389fc83661689caa4946f8c58e4b2011990ad1fd11a2fc2e50910083563d3a8578b2db1cd49de17b4c6fd13933a64cb18538
-
Filesize
13KB
MD571be8cea88ee9bf8e8b215bbdb8512a6
SHA161ac15d17f85a55ce6c80addacfdcf0bfc368968
SHA256376e20754260461894fb038a2e8a57d5d0f66a63a7946d019b6b74a1df37c3d1
SHA5128a5cb28833f25d35978109d75d701a792b1cb6b37ff54649d82daed06522b8d6fb657d7ba1a32ed7fc370730968280dc372b3672aac105306f09ea74894d623a
-
Filesize
83KB
MD5540c0d38b20d3eadcdacef4e4cda006a
SHA151ea2895db3b4cd18c06ec22d63308a200e00141
SHA256569e9f3647c9371868c643d17824bec9c68b705fdbdd61898cad7e81755deabc
SHA512537c0f3d119384fbf6e85e1b10ccd2340de7e4910c56fd15938cef64a35d2eeae7fdf20116e7694840799b4909bb63202d74f773f74a12161af087a5d8d93779
-
Filesize
63KB
MD5f612608f6b22de9202e70008e9297abd
SHA1224a8820a507c6fa7c5c66c9c02cf34988e2caec
SHA256097d68e0b369ede903dff9cccb097cb5bc92c5b37e5c5c79a8fd62c9508b9ba8
SHA512dea397c9746e3bc77d464007ffbae7561258977f62acdca9a0e2395bd06647e6742670194e9b5ace5001523477c14e99395decafb25953741b0dcdf7c07195d4
-
Filesize
264KB
MD5da19c41763ef0bfe3705f504f0d84d24
SHA12249bfc0cc251a862f550efa44d893e5a2653047
SHA2561ee89a44249ae1fb74f496864922f4f969551b4cc9e89f46d5e5065c01b7404c
SHA5121dda4a5f9a02bbe5c12928910b314abe78f713e6de8419da9d1a56540656c0613c621be34e5b45969ccde5379f23e1b39feac2e3b9f41b9bbe505bf322c7cd1e
-
Filesize
184KB
MD5995b986701a22aae8755dbdc67bba456
SHA10cb8c3719c03a26dc5c6cc42d07a178a638117d4
SHA256afbe756f9eb7baa392a9f8df0827f5cce7217b71a4b2199c5bed19391e772268
SHA512abf12a4f73edd688711c9a17211a5c996445f09b44cec95855eaa6719b98d4b36757cc5b3ae7a2846a7225fc190fe36e1f4460a5d9c72fe4b356d9659697ec0d
-
Filesize
442KB
MD5aaa91b88625dc2dd6bd86e5a2d32e344
SHA1ea4ee04c73f4f752b4c8a596f7b8c9f081e39a9c
SHA2569e19c46750a707513e11e2210aa67a022e1583e34ebb70f89212fff29131a4e8
SHA512c9346f27af6fa4ad11b0f08d5798b0d4bc4c210c05bd07232834b0fb115e28ee09f5d0920d93480bb5f4ac7a17caea2ec836c9b82db886632b1fd9382aae97e1
-
Filesize
201KB
MD54da3d2694e2f3236b33b9c71ea9b1328
SHA1956362f784aa4471b0e2ee7618afa9b0baa5e230
SHA256bffef60111993b02662caf3be5d0ba8862bf816b9d58d736ab1a803555eae707
SHA51243c86728704c491255662adfef4ab76182993b28e48d37cbf64876a0c1cbee9f9a4054ca6a6cb2a6488b21071bf5df4f2d43147ce0b030a9247ec3f1b1d601e3
-
Filesize
86KB
MD5d415962f58fad6feb45b80f574b1195e
SHA1252bc03ef1ac6f05ece383408962198c0c1b2402
SHA2563c420198663214a4e8ff73ff5a45bcb8ed20d77934922f6779b188c6d03580a2
SHA5126a04b942abe362d37b3197604a179e04f112877b666131d086876e04598eaede141d29769b1d118cb9af8b9588285e742f4e03c9b60d0680d2f959ed555be3cd
-
Filesize
100KB
MD577dc26d78755b40454e3ed2578e33094
SHA1e08b0dc5cb8770998110a5fd8d3ab4b803796216
SHA256f47ab107b3917b347d2f76b2d4328f2b4f7c528c2cae73c51a1449cfa3e7e797
SHA5127ef7e34411672d2fcc1873fea4cf0fac7396d3c6c9e5851afb1feb5f84cf4cccb4613f0ea7857c634833a40b8e88077e5605eb5d50a48e2bfcb6aa85551bf121
-
Filesize
96KB
MD5ccc8e6060bdddc5f23ec642f2bc3debb
SHA104afbfb84201e794d9c383a2fcc9b85769615bb6
SHA25635fef43b783764d8e85ffbd849e0e5b5ef5a1e58954d5598b37a843dcd6e4cf2
SHA512944223eff6fa544f633b4c816ac2339c62b3c9afd6c92000a38d3a5fc910dcde8c5fa662b6739c11cc877710d150147fd9810266efd87ce01808d29856c230e4
-
Filesize
100KB
MD5919a46d5aaea88920e655e485f37dcfa
SHA1bfa08790cdd30e2549ccdad3908af8d0b77eb3a1
SHA256f7bfae0855b053c5bf60468d0d72640708185e7a2d0a252949e29dd0b055a8e1
SHA512ca91e86475a67dedcf61aebe136cc76f5b9f065559a882ad5258f4bed421324e491eacd84fcae17c02729ff7832e52bdf06360de51efa79f37fea612954df2a9
-
Filesize
22KB
MD590620011e17be7567da12f6c44c6ef63
SHA168ffb1313d5625fee67bb0052c2cf2a9b35dcfc7
SHA256ce64c9670ab1d42e42db36ba9b951bb8150b80fd1082a24927f621cd1d26779c
SHA512e9099a89f300f5d2bfd2b1fd28a5ba6176b6d8312691c7303c287f4227aaab8b514ba179d0e0108afcd641db5938450651d7b0f4cfb685c6117e786e47c0fae5
-
Filesize
1KB
MD5aab424674f6d554d62974bf4e4f167bd
SHA180b5c31c1a7725cc141955be8b331f78ef928dcf
SHA256a7fbb8e354dfd723c75ef036c8beac79691029a36b7ac695543bc1213e326296
SHA51227c594943d0e49b1597fa786c59522eed6701f352855cbdaea5830bc4392550d53f125bf28f703c8c7ef570ed47d405d542e3fdb04eeb3d311edaa3716dd3ae8
-
Filesize
30KB
MD5d4dbf4b0b3eea5fdfe6f6f26f6e85865
SHA1520eb0df100a60488116562c322d12b08fe5c7a6
SHA2565707bba036a86222524a36717e46ef204fd541f5c506b7c7c07a766665724bd9
SHA512322b6182ffd5a63f7e61cdeb56b6535adc3c541a9ccb290e4422b64601a9d352976d3f0645e5c3b81fd367d630a54021da4cfb232a5af97ac5185b34ee7b8ed3
-
Filesize
66KB
MD56d61272211f1eb58e2561daa8c09b3e9
SHA185bb392da406b660b02d9cecb1ce9200bcd942da
SHA25690526c9a122b59138fa1b94b1e017b695c4ed95d87a56d1ad20b39a9dae5c3a7
SHA512704491ad63db785617b1f5909b50daf157277c304e6e01d96cf96a58bf3a6d844a3b0e40f78dc6aa2ee9886995f21c67d278797179d898506b9bfa0e40765c8d
-
Filesize
22KB
MD588a539ce8ba4fc8b083c947bec4df196
SHA1b621dacc067a53e391c375dbb34b545db18ec2bc
SHA25627286060511b3ff46de9cbd4729ee981f637d8e0f1defd61dcb3665234182634
SHA51219fe38144fb3bac4439a232820d983b7b82c388a87970005865beb8c200c90878aa1b8887c52d13af78241ab5bd4e37ef52189ce637804d62cd79310c82f422b
-
Filesize
31KB
MD58620def1be2ca57a1f7980f5b52864cf
SHA12f5a6da7b9543d96cdf09739d7413989fe757cd6
SHA256ba8ade13b2b41abedd4d63097245991443b5dbf61c9b8eb5e4b9a118b2025795
SHA512f6e167eff39339a85513bd7bb6b3ec821391bd6cba1da7ceb34d6d4ed673665862dd55b8568ce21909a5eecf0433b66e804e570e463e70c13c14f6e3609e7a14
-
Filesize
39KB
MD58253fef24362cb8265465e0ed6296a82
SHA164da5ef60af4c704ed965667c46f7a609f56f066
SHA256cde77d6c8e8ff445961afe8a12f2f7b7e9359308fa3aa9fdc41887512ea7a715
SHA512777e07ed216e2b05bd28d3c96f24c0dfe0a1c223a787143aa05ff1b772e14a41cae11cbea205f8e74018a2d12d4a21d4210c4bf327f3a6f4d74f93431f4b153c
-
Filesize
54KB
MD5de82b7045daa803910ece59d666fc547
SHA1a8baa68cdc78d78e1470432513564109feefe8f6
SHA25695a7ad1144f2e36e35ff3b24d6cc9a18128997401cf4b8591c7b158eefadf82c
SHA512d4f51f33b56b84ea80fbeb127d9686d8186b4624a836788878c929b2c4ba76ddd32b5bff9f7fb2b91fd74330ca97fd0573b5db110e76285856919a059a178074
-
Filesize
56KB
MD573d5ded72f7e36548cef3566a78c9f18
SHA1bb1df32e5b08974bec253cfae2709325ede478c0
SHA25691dc596aa809afcbdb3101ca22d46f7c160176b76eadb383421a801670a8b9bf
SHA5128cb98ba1c3e19fe996476c2f1665b92f23abbbcb8188e1b1b756932bd80b22105150589853141d94680e4e09db196a9c5206cf02251bdc18d99c7649c9b477b9
-
Filesize
45KB
MD50d4ca9ed405ae6f23391e1df7c6983ef
SHA15f81a674f2708ca873fbedc1cb32ca49311065e0
SHA25678451631da7e4f1d33f9ac9846fc61808818ff6a1bcc40222008046b14e5bf38
SHA512b56fd7236a607c9c28425614e3fc1ecebd7f7913a637b18818a2bd57cc6fab8804edcf8a09377c94cbe0cca21fdaccde0d0d4bd9b400e8ba261816ed4f693be8
-
Filesize
1.2MB
MD50cf0555b096000458391ca90ca2acc8d
SHA1600d9f3b6de35c8d60cacbb9eee93f7aa17ff619
SHA25680f0f0c3983df2ca724555640a549d606ec457ea1096f846de257beb515e0a0b
SHA51237fa5a4af30539e089cf131cd5c56def42c1c7f43a941831bc2668cd3dab8baec898c05a8d925e35bb0a902ee7f424bb17af38eca85feffb68086a21e88589df
-
Filesize
158KB
MD59e4ae19000d5fb72f3549c8bfbba9889
SHA1d429f4ec3bc9977f94c4860b88e24a76437fa60b
SHA256c90aff82837c71562495bef0808cf8eb655ad7bcb11ff8add14f0857b5b67e42
SHA5123ec2b4e154a379579822cc33a1476a079862b2aa001a6bef7676e7da500b9e6da1b282075ed7483010b1ec125828fd8f7f4ecd5e05b367a2c69ead0e97e29207
-
Filesize
64KB
MD5098ff9f0d1247b8001fd2b048091d8ca
SHA1a936543aaa6aa3eae92534f61a7f4c30befc3b81
SHA256eb28ed2add06e0f53fc5a52520bf764e8224a187374574232cde2daf9367d0d9
SHA5129a9793d598ffbc186724af8c2008f3e88a4679b8ec92ed495a21a64b960c644ca49ed37d0b5a05fa4cd031c789775a811b887230a6a90d7dc2d81f5730164432
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
Filesize
1.2MB
MD541267b7144bea6d657e24c42e1780cfe
SHA19c72eaba3b92954f738f96cc9505be5bfa42f9bc
SHA25662ade8debb1810a8f08f74e0571731590a4f3d2cc3f8ed487d752007f407cdb1
SHA5121cbbd60361596fa07affa68dcced5bee532fcdea1c327c0965f5d876c6a9e8dd576e1cb2ababe424e6bffa94e978b7f729248515293b94cac1ed33951cfce610
-
Filesize
45KB
MD5fe76a5f08f1bb0af4c7c775241b71b26
SHA15233a499331aab2295a10779858e58e9c5b5b487
SHA256a73f9b62327a2eb9fc5e35e8fb3b94e285f9189c9f28b0ae5b0e191071929993
SHA512008976baf91d476f6e5a9ed1be7b59f1fefe621cfd4575c85ed53855b9c256728ea8ee203535ef0305cad4809ac598595aa8da913eb5e36938bf40a3adc5d5db
-
Filesize
26KB
MD54e3a2b3f0ee1eb6b5d6e50216a5b061a
SHA149a24f386d5a6387eb7a57ae23d5a841d6d58b12
SHA256243b01da7617554672730f2fe0767a1ed2cbf2802e663824e16a6a2132948052
SHA512074f86a2a065723787a43a9100772c60c514d9fcabce3937999c4ccfeb2715e302f8d5110db5775de0508ad7ba0a428855a3a151d8303a4def158aca8cc6f8ff
-
Filesize
1.3MB
MD58844f3f8ba684cef78a61f2365ad581f
SHA1e72ab5e907138af466080000978f0da193e6b7bd
SHA256b4ef1d67c572a36c6f10aebb62357369c89e829e487b9640c3d9d35fc35b7357
SHA5125bdf64ff45ea0555f9d74684338144040c01dfb7b57c0242295a6ea30aedd8527cc6c2d1285e19f6ef32d1fc489eac7431860ad6724cb6192afe4eaa77401f95
-
Filesize
1.3MB
MD5388e1bca06274e35f8ee96cd5e31b756
SHA1b490303d7fe5485d842e1b65c1784718f75248b4
SHA256470094c283cf6007dd85288846d37d5fe376af8269c77b8abf7544d1866808a8
SHA512e752da7b1f552cf0f2ffcf183b712d389c813f6c34e3d3f2a3d9a508ededce2dd6ccfa009d3ec6b5b1cfc5217ff0c4ce93ccbb80205986350172b54dd61172dc
-
Filesize
134KB
MD53087753dd236b04e433eb308518ada6d
SHA103133d6d999be044bbbf0400b4f079ca81bdedcd
SHA256c19a4b05124de7034d49ca5f9076a990f827e26f30c7e6ae149d3bb79fd95cd7
SHA512d74adffea97f5396e73ef891834e0d451028f9f72a5890f6e281fc12a5d276569b0b5622f724f7faf58573e1339d85522449d862fc137f1012c72eb8eb34e3fa
-
Filesize
412KB
MD568a17a2d4071dc955eaa9c477946481b
SHA1bbfd016348cd195f310739d1ca0bf2a8bd809b38
SHA256be92d93d602314a9c8eae27840c34bb669576649894227a75f29cbf850756926
SHA512c0041758202f3eaa2ad378121e3219085211d979d8f2cdb468e9585fa87c6376038e95fb504faa88b19b7d2c7b1ddd129e75f1f20fa2d440b2c5affa0702c754
-
Filesize
111KB
MD5ba1bfe8c9c09292cffa9d0b7bcf66d65
SHA13ee9d20e5a3fbdc3b1ac917cb8174339fec9ae41
SHA25601e4d225d982a14f775ab1a2931acdacf7bf52de8e87573192534e141ac7e520
SHA512d57226dd39dee13f43584b53a6184e39f14258eb7787a68f4eae1183f75798ff5076a9c483a4bd8db49e402b9c33daa225f40e622087d655eea3276a42934f86
-
Filesize
1.3MB
MD58abca5006ced567902d63ccbaafe6cc4
SHA19bb8701f61cb3e1e47537a083a76ef3923a9b2b9
SHA256fffe109830c38130de011a19880203360f6c5eea370dcd6ed835cd09d2295b75
SHA512a16970ca7f3b699136d0b7674a138b74c2e0546c67719353d2d451ab92587e24acb90c2e33a6fc16e5ba0e00095c4db583a4fcb25c8b4a433c2702f43c3a39b1
-
Filesize
116KB
MD512032973595145239a9b88c1c29c503b
SHA1d4605f015ef884a01ae21cc3e3e4a375fc94ef30
SHA25669e1e98b9bcb05d0e5c81ec89ec38b2d80c1f0330c31a6bfc0cbfd9af3e5ae40
SHA5128fc4313ba0379d0e2cb20f3b36fa20847f77e7e1d9137209d945366917968cafb01534f83ad6a19a1f49f6fb8189a4eaade9487a703233921cd9344d28a40ca4
-
Filesize
26KB
MD5bc912149fe7c3044a64f66f9af91733e
SHA1e9554a0752fcd5011ca4dd5077ec1f7c3c6dd9fc
SHA256a67dea8762db655619412e77e9ae3b8bfd624aa4952a45020f9842b6535477e2
SHA51247b359ec13a20a4d687fe33f2ffb5c83ecf726e4bf65c919e8cb55ffe9002d25e103047d041703ea89492e62c1fa98538a7519028f2114798ba451183a9263ff
-
Filesize
63KB
MD5905cf3c1cf442c59dc38ea3c9a0e77d9
SHA1d7762f42a2ffa121ebcd5b767e928a9f3e2947df
SHA256d6761235d3d1b1f001be5ae4944701a4ebff11da1c7ff14cc071d76cd1cb8a50
SHA512f815ddeb4b614aece58b949d2103b7ca769d717872f8f68d6d3ca995049f8d921625b5274c9dadbc2273abf6b505a773b7e5a58d95bd40af36cfb41a24b53a8b
-
Filesize
44KB
MD5b1df0a66e6ffe08e3786a6077b73a12e
SHA1a24f04d3e9decc4fd363f865b0b4254b025a8a43
SHA2565206ddbccb76e0192eed3b357da829ce3411b94761a2dea806c8094e63f8264e
SHA5124554148320df0d89238fd60df5b350e66cf91239e4ccfb7708bad1229097796e2db98f6580578b9c8550fe12751192a1b4681a7958db5675d60f49b2dbd8fff8