Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
-
Size
14.9MB
-
MD5
7777965385f9180b50b561a78fc44ff1
-
SHA1
2647dd3fc7b5a911301474af679c4db9f33f7842
-
SHA256
29847ebafcead5a736de54c9a6ece3966787f43fb5a34542d56b77c5145d8acb
-
SHA512
ab23b1b9536b27da1f8867bfc4c3d2795ffaa7b1b4cc407546b9184ca92c65255ea4919e800ea649236d4ba9e967777bd4b2b44c4ce3770b3990acd53c1939f9
-
SSDEEP
196608:S7AP/NNECwHrc8u3x3AEcq/fByuKlWH3CToufqrR:Sa/vQHrc8u3xXJ/f4uUWHd
Malware Config
Signatures
-
Detects executables packed with Dotfuscator 2 IoCs
resource yara_rule behavioral1/files/0x0006000000018ae2-93.dat INDICATOR_EXE_Packed_Dotfuscator behavioral1/files/0x0006000000018ae2-107.dat INDICATOR_EXE_Packed_Dotfuscator -
Detects executables packed with SmartAssembly 2 IoCs
resource yara_rule behavioral1/files/0x0006000000018ae2-93.dat INDICATOR_EXE_Packed_SmartAssembly behavioral1/files/0x0006000000018ae2-107.dat INDICATOR_EXE_Packed_SmartAssembly -
Detects executables packed with Yano Obfuscator 1 IoCs
resource yara_rule behavioral1/files/0x0006000000018ae2-93.dat INDICATOR_EXE_Packed_Yano -
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 1900 alg.exe 2100 aspnet_state.exe 1768 mscorsvw.exe 1704 mscorsvw.exe 564 mscorsvw.exe 2772 mscorsvw.exe 1448 dllhost.exe 1032 ehRecvr.exe 2996 ehsched.exe 2428 mscorsvw.exe 1324 mscorsvw.exe 2444 mscorsvw.exe 2132 mscorsvw.exe 2056 mscorsvw.exe 2880 mscorsvw.exe 616 mscorsvw.exe 888 mscorsvw.exe 2404 mscorsvw.exe 940 mscorsvw.exe 2164 mscorsvw.exe 2208 mscorsvw.exe 1332 mscorsvw.exe 476 mscorsvw.exe 2316 elevation_service.exe 1508 mscorsvw.exe 616 mscorsvw.exe 2184 mscorsvw.exe 784 IEEtwCollector.exe 2620 mscorsvw.exe 2888 mscorsvw.exe 2760 mscorsvw.exe 1888 OSPPSVC.EXE 2748 mscorsvw.exe 872 mscorsvw.exe 1652 WmiApSrv.exe 2332 mscorsvw.exe 1220 GROOVE.EXE 2476 maintenanceservice.exe 704 msdtc.exe 1268 msiexec.exe 2824 OSE.EXE 1888 OSPPSVC.EXE 1940 perfhost.exe 2016 locator.exe 1640 snmptrap.exe 2836 vds.exe 960 vssvc.exe 1920 wbengine.exe 1652 WmiApSrv.exe 952 wmpnetwk.exe 2720 SearchIndexer.exe 2812 mscorsvw.exe 1720 mscorsvw.exe 1688 mscorsvw.exe 1872 mscorsvw.exe 2032 mscorsvw.exe 108 mscorsvw.exe 2996 mscorsvw.exe 2292 mscorsvw.exe 2532 mscorsvw.exe 1032 mscorsvw.exe 2644 mscorsvw.exe 2716 mscorsvw.exe -
Loads dropped DLL 58 IoCs
pid Process 468 Process not Found 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 1268 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 768 Process not Found 2032 mscorsvw.exe 2032 mscorsvw.exe 2996 mscorsvw.exe 2996 mscorsvw.exe 2532 mscorsvw.exe 2532 mscorsvw.exe 2644 mscorsvw.exe 2644 mscorsvw.exe 1756 mscorsvw.exe 1756 mscorsvw.exe 2224 mscorsvw.exe 2224 mscorsvw.exe 1292 mscorsvw.exe 1292 mscorsvw.exe 2732 mscorsvw.exe 2732 mscorsvw.exe 2416 mscorsvw.exe 2416 mscorsvw.exe 1892 mscorsvw.exe 1892 mscorsvw.exe 2388 mscorsvw.exe 2388 mscorsvw.exe 3000 mscorsvw.exe 3000 mscorsvw.exe 1624 mscorsvw.exe 1624 mscorsvw.exe 2096 mscorsvw.exe 2096 mscorsvw.exe 1632 mscorsvw.exe 1632 mscorsvw.exe 1668 mscorsvw.exe 1668 mscorsvw.exe 2420 mscorsvw.exe 2420 mscorsvw.exe 636 mscorsvw.exe 636 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2b6b17faae4ef42b.bin aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66AF.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP844D.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{763E2866-D76C-4433-A34A-DF6341DB4BBD}.crmlog dllhost.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{763E2866-D76C-4433-A34A-DF6341DB4BBD}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CC0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D89.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB931.tmp\stdole.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F3C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52D1.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP73D9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5C8.tmp\ehiVidCtl.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B22.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61EE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{7E8BBD78-8F7F-4840-BF84-DD27BBC9F1C5} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 2560 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 2484 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2484 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2712 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 2140 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2140 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: 33 2064 EhTray.exe Token: SeIncBasePriorityPrivilege 2064 EhTray.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeDebugPrivilege 2560 ehRec.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: 33 2064 EhTray.exe Token: SeIncBasePriorityPrivilege 2064 EhTray.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeRestorePrivilege 1268 msiexec.exe Token: SeTakeOwnershipPrivilege 1268 msiexec.exe Token: SeSecurityPrivilege 1268 msiexec.exe Token: SeBackupPrivilege 960 vssvc.exe Token: SeRestorePrivilege 960 vssvc.exe Token: SeAuditPrivilege 960 vssvc.exe Token: SeBackupPrivilege 1920 wbengine.exe Token: SeRestorePrivilege 1920 wbengine.exe Token: SeSecurityPrivilege 1920 wbengine.exe Token: 33 952 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 952 wmpnetwk.exe Token: SeManageVolumePrivilege 2720 SearchIndexer.exe Token: 33 2720 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2720 SearchIndexer.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe Token: SeShutdownPrivilege 564 mscorsvw.exe Token: SeShutdownPrivilege 2772 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2064 EhTray.exe 2064 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2064 EhTray.exe 2064 EhTray.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 1624 SearchProtocolHost.exe 1624 SearchProtocolHost.exe 1624 SearchProtocolHost.exe 1624 SearchProtocolHost.exe 1624 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe 552 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2484 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 28 PID 2460 wrote to memory of 2484 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 28 PID 2460 wrote to memory of 2484 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 28 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2712 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 30 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 2460 wrote to memory of 2140 2460 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 33 PID 564 wrote to memory of 2428 564 mscorsvw.exe 42 PID 564 wrote to memory of 2428 564 mscorsvw.exe 42 PID 564 wrote to memory of 2428 564 mscorsvw.exe 42 PID 564 wrote to memory of 2428 564 mscorsvw.exe 42 PID 564 wrote to memory of 1324 564 mscorsvw.exe 43 PID 564 wrote to memory of 1324 564 mscorsvw.exe 43 PID 564 wrote to memory of 1324 564 mscorsvw.exe 43 PID 564 wrote to memory of 1324 564 mscorsvw.exe 43 PID 564 wrote to memory of 2444 564 mscorsvw.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exec:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x198,0x19c,0x1a0,0x190,0x1a4,0x140325960,0x140325970,0x1403259802⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2460_JTXRMYFZPZJGBFUR" --sandboxed-process-id=2 --init-done-notifier=536 --sandbox-mojo-pipe-token=6547052856178696349 --mojo-platform-channel-handle=508 --engine=22⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2460_JTXRMYFZPZJGBFUR" --sandboxed-process-id=3 --init-done-notifier=776 --sandbox-mojo-pipe-token=1132485580307653068 --mojo-platform-channel-handle=7722⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1704
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 26c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"2⤵PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 254 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f4 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 288 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 270 -NGENProcess 218 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 298 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 298 -NGENProcess 1fc -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 21c -NGENProcess 1ec -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 21c -NGENProcess 1d8 -Pipe 1fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d8 -NGENProcess 260 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1d8 -NGENProcess 228 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 250 -NGENProcess 280 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 260 -NGENProcess 254 -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 228 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 254 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 254 -NGENProcess 288 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 1c8 -Pipe 260 -Comment "NGen Worker Process"2⤵PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2ac -NGENProcess 264 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 264 -NGENProcess 254 -Pipe 1c8 -Comment "NGen Worker Process"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 250 -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2c0 -NGENProcess 2b4 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 250 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:1112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2c8 -NGENProcess 2b4 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b4 -NGENProcess 2c0 -Pipe 264 -Comment "NGen Worker Process"2⤵PID:2356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 2d8 -NGENProcess 1d8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1f4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2dc -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"2⤵PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2b8 -NGENProcess 2d8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 1f4 -Pipe 1ec -Comment "NGen Worker Process"2⤵PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 250 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 1f4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 1f4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2f4 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 300 -NGENProcess 304 -Pipe 250 -Comment "NGen Worker Process"2⤵PID:2844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 300 -NGENProcess 120 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 30c -Pipe 11c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 310 -NGENProcess 120 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2dc -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"2⤵PID:800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 310 -NGENProcess 2f4 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 2fc -NGENProcess 320 -Pipe 1f4 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 320 -NGENProcess 2d0 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2c4 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 32c -NGENProcess 2d0 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 31c -NGENProcess 334 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 31c -NGENProcess 330 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 310 -NGENProcess 334 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 310 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"2⤵PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 338 -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"2⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 334 -NGENProcess 340 -Pipe 1ac -Comment "NGen Worker Process"2⤵PID:2352
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 22c -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2332
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1448
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1032
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2996
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2316
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:784
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1220
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2476
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:704
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2824
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1888
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1940
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2016
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1640
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1652
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:952
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:320
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e9bc491a5bbf32b82d24878f3e55b363
SHA1d084000e7faeb2d1b7725247b2e88dc12c1ef1f9
SHA256ea0773f93e1911a85ccb073215dbe468b2204712f3d245e33f19a51877afc088
SHA512c542fcfd635ae240a58e81abe6d6c84f102aebd3891d7a002fcb542bad9720da656e290cf15eef671da663a0b43f55238efe03d931f9acff935c877bf4c8d502
-
Filesize
98KB
MD5629fb08bb648e6d9fbe1efa8bc0f9d97
SHA1d524a77fb103d6586403098a7d7d68605d48a1f6
SHA256c16fb85b89a1b6b1d33b60663cc98883424174b14e37b1a7140602af3645e709
SHA51279d3b7cc0d7ed341a53b3114a43b048441407712bcf492da4a51c22821c6994baddb174be441d1e848afd05e30db5d79c802f43fe7f20e57a97c454d380c8285
-
Filesize
1KB
MD544effd4a5d29ad61bf3118a4c319aa55
SHA11335b2472fd8191d677b762e23e8ed5762e8914c
SHA25641ed6be5d49abf9fc43a41e9c90ff3de21803b5850667993e6e079e368f5de25
SHA5124f03e1d8cb208f214d4e3ec6e8ec59f2e002819d8bfe02f47f948701a468e81110c92e38ae64c74db5f837ce53aa725e5b3a7a0abf1ecc8973a2d32b5b0967be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
9KB
MD5b6a1be93782d78d98a47fab6bcd08ccd
SHA10780673b0f1d4d11c70446a32fef5dcfbf8fa76e
SHA256c2c93710ea65400a376d958c54e2912bd01f861b047e6b3eaed513214dbfca9c
SHA51251518a9251c77f27d1411faf554fe12872556b82eab367e9e8299b559d306ff7c1f0d589c65ab4c355aff08f8c48348c2186871af55c1df2e5ded0729a139d2b
-
Filesize
282KB
MD555d4937db90e416f32eed6f75c797411
SHA12e474298b492ce05c7c9d08ee2937de30115b981
SHA256b43aee17b182880c20daffd9dc60062bfd2d23ac03d8b03c6429e8c828f3773f
SHA5121588d95b1daede34a3a97f3ec99c6e2aa5f17ed9fd67f0d88451018e5aa9c18b55f62a4e76ea7eb663826d576eb8fc5df320d06204ed4e9c07e33fbc4aee2f08
-
Filesize
240KB
MD5ce7d0a9cd063119736f704c51924247d
SHA1174cf2bce9199e1b076fcacca2534f1e1c60c613
SHA256d5f77f4d2aefc54e1c18e718a92a42eb2bf90acecf2b2c9665dfb60ec51656a7
SHA512eb370c30962a270ddab282871d7ec9b8dea01c25660eec2a7e7f212ec07b90a59d6d9e5a8b1792eca8ea1b0304c99f035fbd69c157462b47df61dff71fe675d7
-
Filesize
453KB
MD514cdecf50f69be2ba93710a97cfc28d2
SHA16aec40851bf15e1c1f89263f394f96e00c8a1027
SHA25629cfd85c06c30ae1d996b32f8caa9d97f2e0bdeba439b818765676bef2ffd065
SHA512b2cd44111964e6ba62fab9ba86ee56a2c23b23b860a57890698f783ba60fb5e28b92c9bd4b1136cc82eb024f658764eecd6906c433b5b751071e5fbe780fd537
-
Filesize
99KB
MD5f2b9e9ad3397507e4dcc76d0e230d5bd
SHA1442872e91d03b88f783fb1e6a06ef4b11a097109
SHA256b0c4aa3ba57d8422f39273e9b919620da14b9ef0467cf1ca5fcead51186124c0
SHA51236a2e5f6431da8abe92a0b916b8a3b31063443153f8360e4f8639b83dcf9b84b752fb0af67cdffca8d31be58194cbaa8ff5a06ea88dcc9232a6fcc03688f1220
-
Filesize
159KB
MD5f94e2ef0c1939fe085543d063d04ef5d
SHA120a14f203d0693114019e19a5ee8f433d5e66e48
SHA256d7dd0c67e2069102436a7d8c24e6b3fb097362003b3be54dc9d2c442c53d67f4
SHA512f1babca2b709dc981ea925fa4b50c81894864e3579d5493a39d9e224551e34f35f25b65b71eebbf18697d2b53f537c34eb9f8f926196c4bccf151c1449df709b
-
Filesize
132KB
MD54e575e9223009450758a8caadcbf60c4
SHA11e8c9b9eef6ce8b52e9ef8361224aa739f06488a
SHA256f90d3fbd50ea6f4168ba11b25482267ff7561b15f7802f2f86be7b773fd6f7d1
SHA5123df22768825587dbf24d6a8ce53c494d1d96494b24901c80dabe80bd1943f7bd89c02ac62e63a68c3d52931787ea662e2f5f75d62455fe1b8c828cb614c07f65
-
Filesize
116KB
MD5c5500246d1abe101eb79eccc2eee48de
SHA10a6e40ba8d84f60ad8a3e9b9e6a089723ad76192
SHA256882b02b8abbdc9e63116f734c08ac9ed29a3450808d9c4e5632378c7a8651172
SHA512f084904bfd7cb84384444c27b946f41477c52bd406b9f792497121af2c3b8ec4b114de344a948bb662b55d019266f3e78f95adeebc1da37735bcd98bb29f4983
-
Filesize
45KB
MD56bb4d77f565767aefa30696c75ea8c87
SHA1f5a8b25d2f04c02428b64867ca7e290fa11a26cf
SHA2562f29e0aee5327ab7f73f92bdd7f8b7fb40d77c02a2c2a2bada83232fdb95aef2
SHA51229649421b6ba546213e9f581a7ec2a6ef7cb91bc380ed3f2c3501af4c479dfff8760d065a3699c4750d71f79ec71af25e836b791cebec23f481843dbeb8e0862
-
Filesize
174KB
MD534a330a09cf12c9790d584b77096c569
SHA1daf1fdcbb284a4fb9ca9778ee17ba89a6ba1db3f
SHA25678d80d0b7b027c10e88186fe8c56e077413c8b96d26e5a458b18d007095053be
SHA51297f7ad318862574c3fbc50a35b35104335ef85c0e56c8d998664f54ab496eb96b77c45a3d46214725717fea16e0b08e73cce4310714278aa52e8c02ff4657dc3
-
Filesize
155KB
MD5a1a283e3c0160b207f66d7deed46c6d5
SHA148f8e3617d0b39810bd41b75822e9035f5155a07
SHA2568202830e8f0a1d4eb7ce2ef21a542b6bbb7a0aab59e11942e7604270cd1ef074
SHA51232cc9b4796e389973a5e41599d92985d5b6469b952273baf65611f89565c7076e8ed56ded07a4db75f21001f5d5388c6f7b69dda9ce8ceebdc3e50de541cf275
-
Filesize
69KB
MD5784be9307687a2209fd35add98b3ef22
SHA12bcd3271c73f748929bc05be5fb4fa83b32d922b
SHA256c6bbe86c5bdd06e6991530146aad75de8c05c00523ac2bbc2791b4f2d72ad109
SHA51247282804e30d51280d240c438f2fb0a248a77c7cf34cb7e65ef06e5401c49604c1e9105a14c7dddeb4e09bd5200eb39e46a3a0c6d323c5969909eb87c3b59fe3
-
Filesize
108KB
MD5cff6cf04f84e8b1ef2323957eb46266d
SHA169d69865e232b8317670cb204538a76f591990ae
SHA256a468e1002ba0b3d1a7a56f5632b1281d28d2d88031188ffd550d615ea8aa52b7
SHA51235759c43cd37a1b4f20efcbf8787a6f467a418503550ad6e9d70fe60ce28acf86238d8ede0c6e2c7c7951c02f6efc0889ccc57995be62f0d52b780b40cd864c5
-
Filesize
30KB
MD566bef9e206b5d897f92a5a15521a8f3e
SHA182cf8f079c01dbf3cee76cac128e8e02609272ed
SHA256cd7d5a213eec1875a542c4ae59b421584bcd833e3fc974fbce2c3470e3d69fcb
SHA5125b7f5d328146dd47977ebc2218e6911bf93bcb90998c7bf900e6a53f89c77ea1180a2540ad72edd7d0f9c0af38b9d99421571974ccaa7a1c717c2ce48de7057e
-
Filesize
145KB
MD524db85b668544a313371c8b32ec90967
SHA1b228a05e850b173487f984cd724dc9324919134a
SHA2562a14e1bb6e636a11693c76cee408b3b78501ba375b1d86d27aecebd88cd80dbd
SHA5120e515422a3492e56c51ea125798cf48512cc54c895b632aa4a48f4d524e664db5a68d4ffdfaa7002c9845ec310c6722c3f736aa8d26b984f8adeb67d0bbff5fd
-
Filesize
172KB
MD561f6e2eb74b88247d3036a7ff7cb2f12
SHA1554a596c0a41f0c81eb5e0e02c7448df478d4dab
SHA256a8d3bdb1141884e05f217a1db35d6c2a9b335d5304fd1aa661fbd53d7560bb60
SHA512498e64218ef0d295b2fae4aa9e7a0c0f0ebc2ebd26a39aef84bc0fa477fe4bbc0c1189be38fe0d4b00169f32c0ee01b950a6ce64564b3e62c68afe148a895f3c
-
Filesize
70KB
MD57fb9fa64baf4f95f43a3e3bd2678ffe5
SHA163d70204c540333edf879973bb8626d7d0fd3730
SHA25670be7e4b402da24fd9262dce268e2850c8ecd37527e661590f04c03e770d4271
SHA5124e9abd42c2f83ea67ac3be47b6bebcea78fe9f518f803a5a1277b93b070d85f8d1f9a4d3bc72c4c3d3ae2ca13d4572f69505c0fe5d37a633ebee492745c9ce38
-
Filesize
20KB
MD5524abb93abc7f354b25df7aedac1363a
SHA18b3357fafd97cd51d787baae4e986a86bd43572a
SHA256720b45afab7985b95c73a397caf89de6592e5fb37b8e885e96bc039b53cce31c
SHA512492ed8f073b357d896e68d885ef56e14a0e578cbdf73b1da51ea950877991edd233465f64809b220fb54ffda880dd794a6e15ecc9ea14011ea2312ad7e81b7eb
-
Filesize
203KB
MD51677dda9e652755f6ce688a659688f0a
SHA10e8098058415df2951b8d6af029403265af223e8
SHA256427ff782fd72dbdc01a46c51283e27a02148ab016ba84231ed8b824a9d4e7082
SHA5121a0e99afc2a85ecef7ea59be21653048f7925c770925f45a8038834a2d92a3360195af0ea5d0ee31676f074fae1f1d155da94dd0f2c571ac421805c6ca815135
-
Filesize
124KB
MD55d5a010ea1b37cd1b5ff07f00e4b52c8
SHA193afca8e855a91b427a55403c7c6531c67bfc384
SHA256197d6790dd4e06f354e036d952544abfd45a0c9ef4bfd5713c5cdb0e97de82d9
SHA512cf88e63e4fbfe7b3c4dd19ca9d1a83ad060f831a274427818c25cd4fb9212c0aff44a171108a8dba7001759df8a3c4a4f59fe07d28cf04e89fb8b9f54bc47c09
-
Filesize
71KB
MD51aaac4aaecdd5f1d80fe662ebed992c2
SHA1d857b70e1599d1b2e3e6a86d94d26e444015b57e
SHA256a02bbea0ba316fb5918e8f1651b82f12621c722a96009168738ee3ac8944a7d7
SHA512b6195786b8cc1d523ed1e2a8c99c4dfbbf8862cc00a9b2ae7f84dfe3566c729c1421c6f9971c43a38b005d3dfe048c1f09f43f01ced1ad2bf4ec8d4039934514
-
Filesize
76KB
MD590f80ccfbb519384549bfcfcf4b162ee
SHA164dc2ec6256455fa777955a0adbd7cb2345d5f86
SHA2562e72c456dcdc51ea68c5cb7979f081bc5017cb2fa0c1582a405949071650752d
SHA512144baed05d5866032c0f438428517c312834de746dbcc300ec8948e2b18928aa3349a4f177151d8c3767dc74a782054b819fd9cc1679f403d79b1415b450d8f0
-
Filesize
54KB
MD5592aba5e9c407c77bc4e999a92cfc36e
SHA160b847a729ebe543d9d836665a11b18f7006e8d3
SHA2567cb91b2ef97c1d2a8aa30da121909ac19754b50aca185480b119cbbe0a2689a9
SHA512c7a38266d53c824411649afe678872570197173d8a316eeeb3f9cd5fe58207fe944482445641b1e3ef5c0c6473201d1e9ed4e0708c65ab5d483b0228eb6b8919
-
Filesize
117KB
MD54ff32d25918348f4195525a9a4bac09c
SHA19390b9192df5bd22490f849b9882b79053811bc5
SHA256aa6d67d9fa76d21535d76436bc6fbaa6249c0cb890bac1b6d8ec9e05191efda0
SHA512e09533cc5dc83ed4fdff946fcdb8143bc65c00c1add57e0ab10477cbcd6280bc417d7284cb6ca8884c51a5a3604b185199f3ecfa7d4ddc122d0a40e4bc68af06
-
Filesize
60KB
MD5df3461ffc9626a87a8a6327d7366010d
SHA13037f96f0fd131b7a476c6bc48f1a72d9fda626a
SHA256eba17220b174615ad1262b94a6459ccd66873ab42592da9f7ad278a6557a18d3
SHA512e0d2517c033b9b84d3841d0be3fed56d3630ead9d115433451c90290ac4e1f2a05adac1f273206cfffd71b31ed0ebacd25a5f8ecd9f77ad9d0f3a37e0acbe392
-
Filesize
45KB
MD584ce8afd8ff4053d19f9448a43aa91b7
SHA11caef04d1965381414d85171d449f2d1a7dfa49f
SHA256154c77bc4779907355975fe8bef972fd2de29564687327dccfbd9d8a63cb0e46
SHA51233a9edf17509acb2c0f0a7947789cdf8f121fff98f2cd4eae7ab040c76eb6ff1184d5c211d63e5fcd0e84dadfc8932cb4e532cadf9e40d42e5300c34417bfedc
-
Filesize
105KB
MD5b4983497aa86f088f0eea904bbc9a5aa
SHA12b5fff4b4525054d28456a13b4dceedbee8f8f28
SHA256c788bd6fc74cf47c713e841ec9a1f8f30baaf82b582dda984f787534e132a771
SHA5127dabb3942ee76081cfbf87d4a07951fd44ff893968fc9ef942b1fa5a93c89ee7e2662651c3ab4ef03dbe413e28e09f96b63c19525ce6adf4b79f31f28f71646d
-
Filesize
31KB
MD52d15a6d268389cb06beb5e1f61a6c5d0
SHA10fe363f6223b38d69c6570b251e1a696e8c40aa4
SHA256397ba9030cd5826386b3ac4a7c9c89f3b1829913243b931480bbfd2757ff9b24
SHA512abe06233ca6e1767133d348f4f3d6ac2ecc386e6ce2cefccf988a44298f8a5c414cc9c5f6c921e459081733a521bf19a3a08d3dbbe1e350029f5d44d4b5d3599
-
Filesize
106KB
MD5043fb73f8db7d522eb6d9dc42bd47c19
SHA114915b928c28d814368050cddc047af457d966c5
SHA25607cd9c73b66e8087c0bb74ad32a4cc5162398732104d79c906b1526e55abc7f2
SHA512e02e821b8a78efb7edbbea6392901d76ac1a347c5ce9e6f31a561b86e438f5796860672eee9aa379cdbd8d2bceb93e61277e32aa4363c404347aff9d64bca28a
-
Filesize
97KB
MD52f99e64e2c50f164a23015c1876db723
SHA1cc03ff70e7780fdf4f4808927f8c8a7220614090
SHA256f6335f259880b70062ea34d6ca084dbb15386da25e79348eaa4dc583c1e6686c
SHA5127a386c91674fe8f0f5a7c554cfa876a2c56e638218694ee8b402ec372561666135314dfb97f97cbb30a2a21487840dc4d356b06be4870684cd322e9c42454e2c
-
Filesize
86KB
MD53dbe947fcbecfb4b9029f5c41b03b8bb
SHA1ab1dac22d10fd18988e97eb1d016e272ce4b6819
SHA256877953f49739946b141452c41821f0c4cb3f8d568373a85e7842dc98e4a26186
SHA5121313123bf7d9148a30e68771982d9f882a41456fdd13f16de1fe1d32a8e2ad56af48ba99ed20bf2a2d9e7ef6606468f51106222c71d4b7f87cbd4348cc25f514
-
Filesize
10KB
MD5573c2dfc515701c903e39bb8b9aaecb9
SHA197473da63b99e90e68b718d56aa32d9f639a59a1
SHA256a1affe0028dae015dfb079274e3aad65bec90941195c37a2425f55ab14f0a8f4
SHA512cada56bd67c7f1cff4ee93abe88ad38c1f3be2f5e9ca5393d80b126143187dcf5fcc0fb2c9f5dab827d17c68df1ff6ce4d307f6cc9665f5ce823f767a7bf5409
-
Filesize
97KB
MD580a083b62e2fd48152fca9c33d346972
SHA19e98797ee849d18d164a9db0c3918c97aa11b918
SHA2568e9d94a17dde135a34c41bcbc42fc8681363b6860ee22fae255a1ab544c0c48c
SHA51203afd3646da9885732b8e4c06d7c3c61cfa7ea9f7fb65114fc495d430198a70b4b95cce2bc0780baeff16db3672cd57147143bb7ecfc4e53a21c106f83c0c624
-
Filesize
110KB
MD58ddfee45fc8a64414bb6cb7b3204a79a
SHA16cf8b13f5ab81558f714c9e1536f57d5d934bd91
SHA256d0e7ff33d78161657c85e5b51300fa96d8b53e9bc0e7a494b5a8503f3797c170
SHA5121028617027d233e02a9d539c531c39b9f6d0ba71e3531d9b4d60aa466a5958bfc89361118e1a6760ece2ed7701c4acaba03c160cb48d7fc9cb2f87c64abdfa23
-
Filesize
64KB
MD597831a316a37397d032cbc7a934d8d8e
SHA1b43e0f347eb44b772c3b73cace5cbfd83f244ad5
SHA25601c2b3c0516f06bb91b0cb7731a38066dbb21218c0c508d7f762dbe4e3bb2a16
SHA512249faab76bad953348b1f91555c07792471a18916c2bb054dbc8df4dd208e11174531508081d42566d4a24e82e5d0398cf90e485464ecc735220147e4f6d08cd
-
Filesize
11KB
MD5170318d5389e35905a52be047a6c5f44
SHA1c962536621ed66c97ab2c431cfd75ef4ac7ac191
SHA2560b2186914f947d965d359d26d10553ecfcf7e14e6de787707123939f87a69917
SHA512b455f102852265bd84406cfa8cc3759f0b38a492f12b78ca41830c468c76a9c81fe09ec75c7b757f013ca6984a349f8faee598d06106a3876162e86100465edb
-
Filesize
8KB
MD5e58ff44c6537b7ec4ddba44b9d5dac25
SHA1935f0a7bac6133b746ceeaac909895e3abe4b6c0
SHA2566082be2932d591459873522bb11ab2eaa1374a11521ad890813e6ed78355f88a
SHA5128a79273efd52877f04c247aa3a2a57f3e450d44d156790ffee674545500700d501a3c5fd92bd406d827a269e3a9627e460f6820ac26bd1011e1961fa6c96eea9
-
Filesize
673KB
MD5b8e1b265602c64b79b009618772f5cfe
SHA1eda7c4d0a3ad03480f75f7ad8c725b3c0f447394
SHA256683947245b9fe8f15d776714c9f0d1ece713dc9415261abc85189d8774fbb117
SHA5128d6de915703af67728b246db438963febc3538d4eaa9e17d0625a6d53740091658cf39cc6abc5c42597e9daf80b5f99c6d88b6846ced0fc4405e4f0a1cd1fc87
-
Filesize
27KB
MD5983a78834e90739bd8d4417477b10255
SHA1607affeea313cd7f8df7296820a15fa747a9824e
SHA256388e077982cb52448690064c85dce4b3c61a71bfb9739453779c6bbcbcc91db4
SHA512929c2872ba27bf0b0bda1c6e774c89c06758b55a0c0d708f887c68353a672dcba003ddd51944c801bc63250e9e4f2b2e68de99cd2561bd170e1a72b817863d0b
-
Filesize
18KB
MD50de3081b080c6d88eafcaa8d3e2494df
SHA115dfb685da769b021fbb629cd06927a0edfbc040
SHA25619951ce55c206592b3894cd73a4b8e54499c6ada3607383fabcc83101481396a
SHA5127b836989580a353739cd68d0804ca874a17d681a20bf69fe1356edab13f074bd300b3fb59a3f55ab621cc575643374a87e13e2834442d5d0330393b71cc979fc
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0075e246794171ba10740e59bd8e4151\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5acd692fefa6fee21c184edeee0b7f40d
SHA16460167a24f2bea2b39fc2cec070843e26e60445
SHA256956e1e84cf23a0e3f9919032a058b3a61c70a303926e3cabd25b8557e3bc026c
SHA512db61a9256f4a13e4e7178cea103f047583d70879b1ac9589a4c3200a36aa325bb60e72210ffa5e45af103e6e7d421a198c174465e8ae2c3d7e739b73222e66ca
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\374be9bfd378f32831da3f12c8d4388f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5a842cfc2c68cbd16c3eec00f3a907658
SHA1c28857d1771f70659ddfaa4cf8368282b11f5fff
SHA256afd4271c638e1a43ed0db7c203abbb306f51465ee999d2566e8b7a6cb1dcc743
SHA512d0a412aed7cdabf1f125921437dba3848ea469a400993eefa8e07f66e57fb0c03a35ac3eeffaa7dea6ccd98ce939e176998b096c0dacc3f617ae2cad6386d586
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4f95c6c4df14a8bf03f641bca6ee97a7\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD542a80081055d07fa48ff9bae8c3d3416
SHA1c0c4821725f8ef06b04b53b512c142a7d5b12fab
SHA2562373fee84bccc0caaa9a8f2cb6d867749f7bf4edd4986bf2dcd2fd12ee88d8da
SHA5122d69c7e0dc7e8708b5758ef030945272e675afdbb242a217077c4fceef4304a8bf8c1c2417688eafcf8bd6bf64ff2aff191d1ac43c72ef284248bcef629924a4
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\651164228fa042cb8dbaad93b55c10be\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5b777b525fa2e9777f7b72ef9eedea118
SHA137e1eb01784c02196ce3f3865389b3b085a655cd
SHA2562d78937d86157ee906eb7f7b99b1ef393fb9c1ba2a56b65e4f56e5050b46eb6a
SHA5122cac75d251ba554a1a767c6bdc7401e28d91777e679c5c5243a7abd181d67c011f9babaf48f6d3ae96fef92c43304c12787c9d8fa5c41d35cff42ca43863cb37
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
267KB
MD552c69682991ed3069cb77f0f8fabc028
SHA1fc61401831bf499a5f1b1ce04c676d155b0e01fc
SHA2568d8fa5693f3e3e422d1e470d0c0af6155d149fb76d5761e54466ef22d18d4bb7
SHA512dadf0183cdb3622cee3b60755f5a054171f33d5953c944e394cad79b98c9c5640c184fe4a29464dfb1c2e4570f8f4674593b55ad6af589d2ea8fdcee7ef45e66
-
Filesize
64KB
MD5f3a9128823a5715ff561820cfd449280
SHA1d8b67a1244b7d57d165c317393b0343238fa5cf0
SHA2568543ce13fd22c9f32a13eaf9dda1c4bcdc85c5823965d4f279a69665fce14766
SHA51265d0079d1da49c5e7b84a9c616c40a474fa24bceeb2d3c31d16bc958850aaf12d5b32c271e4adaf8d9930e4cbb0eefe19c9eb418c298882f6853de8256c6fa95
-
Filesize
40B
MD5276d6abf8bfb0703ec60c92100735797
SHA175bf53885b281e0f09ec431420939234105f1f2c
SHA2563c039a0b5fbbb25532f4a3cd18c07340e0ff8b9c4acf06038dd2856e7fe0b60e
SHA51212d66fee991d93e06e3d431145c4a6828c838aa113c80d40b435b6898418956091adfefb280bd41770ae89a00b56c53d2bfab6ffe906ab9bf2df9737000c81d0
-
Filesize
16KB
MD5cda820a857be4983dc22ea479fdfc208
SHA1eb62268d3c44b532987a788472cebc8cf6a72e04
SHA256e4df048132de20a3e64705ea1a2e479eba8eacb82b898468929e91bc538158b7
SHA512ebe94f8b33aab882f79e34e513688218a9ac5ac76772f68a8f52470e0a0121ad0c0f2c6421b4c488ff9abf8a38bd681f578917e773e1bf786aa36c096439b94d
-
Filesize
45KB
MD5b3e9067c498e010b6222f349e9f609c4
SHA1405c46072065e15b873d0e0ca7cf971081e5aa41
SHA256390edeab69d4e08a02951c7e76849f31ab8020653c6de4421fcc6c06ed5a6623
SHA512951fdeaec5de28d04f6caca1ade33b07a54bc08aee7e2fbe73e4937f20da8007b60f7ba0801a09af827c3892355291ed2884edb11947ad8c445d119592786474
-
Filesize
1KB
MD5b7b31aaa85ff2424807fe025a87d898b
SHA1be9b1d92cf1969a3abcd21657acce20909feedfe
SHA25609ca1ad47ed18bd399b82cbc8cd1d84755c51bb2751e1576c0ec034ea2171a70
SHA512e84e0447fddd9f1e9d25a97211474bc01233d945920c55cc4b79a192da958f33c39874c818091fe254d1995edff3d1951fb7f1961d190152938bb05af4096250
-
Filesize
2KB
MD5134cfa7c20fa685ac6727666b94ef65b
SHA1b877d84f2d16bf1ccd92315913f69363e345df19
SHA256db3561d1f07a690049792167de93ec735c00af9a532786749f865640394f7e18
SHA512efb569c9bccda7f26d3ce4ba1f8049021dd4687dd8a72f1acd24a7c931ea8a7b928b95fd87a1758813c942a4a5f9cacad82b97eef174421f384ba695798f847b
-
Filesize
29KB
MD56394ce2f1cdea8420b4233ce6f794520
SHA16774a5fa772d0e39a8c8277c3b24be61865dc417
SHA25657fd1e62fb6a94b1d358058bea5567c47750d769fdc50193b6be2920ff59d46b
SHA512e2967b4d361ab6d13bb6971b9e2641bd5c852518df39a771d4f49d3fbc79fc8a9afbccb636e086637a4805846461c915284c95474b7f04deaeddb0594941d9cd
-
Filesize
130KB
MD5de076f80d8acfd8e6819e15a7ec857bd
SHA107c4fc29502befb83910a9cf529e37ed17ff0db0
SHA256899fac83a1bcda416c23d5338772bded462155004a772d366cc3ddfda40150bd
SHA51222cf88a7b6e59f5d179fad6712dc26c79933af79a4512e08de21ad2ffd1d4b8f4077204b4836c0112bd4c72efff242b1f401038b3c39ae7f794d86a3dfa284c2
-
Filesize
37KB
MD5f8b7cac6e9587baabf4045c34890c7ce
SHA161814262c6ee5ceaab2c0263c913cae52e203af7
SHA2568b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30
SHA5124f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211
-
Filesize
108KB
MD52affae8dab0e1c7a2115824e65f589b7
SHA1f4eacff796f83ceddaebd06cdedc684c5699dcb4
SHA256cf25dcd07e6f108399748d3204cc5e6b939f703dd30be8b4df2729525321d6b0
SHA5124a771a8e8ea81f5ab45b7c4492bd162fb8dff1127861a4b5fece112defd24010e7ff7fb0c4b4b435cfe429287c398b1cf0a03ddaa7475564adb97ba7687c70c5
-
Filesize
137KB
MD502a6d21e7e296bd1f85ba44d0ef6e462
SHA12997ecf46efd8fc97f506b22eacd92756ff06b49
SHA2560fc936c7b7cc4f72dd1e7d41f98329afa17e15365b0470d9e02883944180af5e
SHA512c2b5e8cc1f2802e485cc7eb457660e4a2b0596443595c93db95cb39562d9fc7f719d60c0e222de3a1e6a3375f326f7d4304bcf56347c7cf02f82553d63227724
-
Filesize
135KB
MD57c5ae2fa8fe6f40e070072fd5a82ca89
SHA19b784abeadaec60adbd99be7447c5bf6f22cdd0d
SHA256264d23d15f0379d00920824e2ca1cf806999d99ffdc2ea008528cff4a73ead18
SHA512d0de333ec89295adcf6056db87e7d557126ca1f738332b2d6964ba0ebee46c63e6d87c46bb93e8607ebcbe13ff068d5f99ec46d5c5fbd50c06f984eea302a9fe
-
Filesize
397KB
MD5f90a395244a8cec4265d91d3abd3fbed
SHA1e406afee27c471a5fd079cf5b4e7afe0b6e45677
SHA256c34a7ef5a91f50b77c7226a78c71b04adbabc1042875e06910e7efa180366929
SHA5120aa3f7fa973c57d59a9a6f3d76b454e0888a04ca807e847feb5df1f5b20ee4f7add4e9d4599878ac5b9716bb077982da9a8deedcef5a4d4bbea1aec083ff7d8b
-
Filesize
57KB
MD54328065d5f82d3ac5bb50fc4eed0d7bf
SHA14fb41c4c7eb3874bb84f162f4d8ba6036bf0e1df
SHA256f4cbef3af8946c255299caacb6270dcc935a4e9727a599b0ea1dd4eb796ee876
SHA512e47842f4be5df174fdf0011c6649df0025d41f11159e43fe0bca6a3b24148a5990f173c6e8eb8a9857dae2ccde125ba7bdbf477d994c79905a0fed24b4afdfbf
-
Filesize
217KB
MD5301440434ef7f7e260d219c022902ad6
SHA13383d4c5983d6183a580f99f38ffa6881601bdaa
SHA256c11412d2b11dc12a9335fd9991878c6dfdedba89308d19441b6b53eb00141fc6
SHA51288abb97b9432faa2597a63bf70606dfa255859e1b9c216c59ab478cf7f99eaf0433ef7e9edb1d459db11eeebe7a794961ef59a3f307f87d2ecdc804d30fbd491
-
Filesize
512KB
MD5848bf1ebc4b014f3d1b31ce68a9655eb
SHA18fc8a965fcb9db8699858a891c096a67a48b4062
SHA2560971c4d4903dbb51643b5f729a1374e07e5f9ae0ba70778135d69dbf6c4843d6
SHA512172a054436e95fb9620eddc49b82f384064b219a619f474374bae181152a0aaf916a95357a471617ea4b246f6bf9efa22a34d7fa00806172961c068bca77e2bd
-
Filesize
596KB
MD5d41784147ef39bde4467d224ca09c7a3
SHA11a726e624b5b24c07cdefbd9f12560ad96e11efb
SHA256e87cb49562b4e3013ecbe9981e5b98efbb012fe636de68b30da67d9a2b5905e5
SHA512bfc7a8f276e129d87abefc11d1c54a14bfd80ef96705cbcd1a20c0998647feb5dee5d6a7bfc0494c0172a68396c6620fd053ad1855967a9b4abc882c17313bbf
-
Filesize
64KB
MD59cb3e81ddcef95f18a805ba85631c997
SHA175ecf4c93d2449f454fbf6de313d7a7b408eaa58
SHA256c36967156da5ee8aac9afdc2e7ebde7e3c73ef2996a3f3c78567abe611fbdc30
SHA51291222f1d3fc19f763607ac22c1cff4a49f8aab60a89668899c102f11c1b328846a8b7803f3039e3a35a92399336d9e652be35e6b0cee1fea016c20f5d68b8bf9
-
Filesize
34KB
MD54c714e62937ac870744c7e9a8a380b61
SHA11278fa841c0ea1fc12294e703b191de2da6579a9
SHA256abbce32ee72921b17465adc3b66d189cfe48bcac92ed066f082b5c5c7e3638e4
SHA512756a9cc11088c2f0b6b3616063b8e40e3593fdaa656a371a877af80fa1f06ff1a1e7a4dbaf7dacff92f12fd1ced26441be306ad191857dda9f54f79fced8e5d8
-
Filesize
155KB
MD5545101f3d77450814bcf1b90172b1155
SHA15f3389536b0157af72faee84fcf84e14460f41f0
SHA2569fbf0d8a92fda4e720ec4cb901ed2509a56a021222c24c614ad1819618b8e68d
SHA5122cb2c6e1375ebb7b3012f241f25ee55ab626a8d8214af7e6558cc13033432246aa5b2de52c753dab68465d556ffd19f15c5bc19ba03f12769f5de706b2029d9e
-
Filesize
191KB
MD536b0e29262f0e88a943f84e600eeb58d
SHA173e15a96ce97ae82db2f9472d0c60c234fb2928f
SHA256df1d0140386cff1d3172788bbfbc2cab672c76f8c8d966f276fbe2106b3ac101
SHA5123241ecce2445dd76280c2ffa34d5305ef92347c98d4aae65679693e1bd8e9df672ae264698fc50d9a23ed049d69cbe1dfb3f3ee0d4f86d5fea4d630bb30075ce