d89504dcd16ff4e93cd4858637b7b0e71c845e42b3ee9f59cf03b954ec6a1107

Resubmissions

06/03/2024, 14:41

240306-r2v5habg8w 7

06/03/2024, 14:35

240306-rybxfsbf4z 7

Analysis

max time kernel
285s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stardock.ObjectDock.Plus.v2.01.743 [PeskTop.com].rar
Size

15.1MB
MD5

691c687cd95f173ba579323df1b81caf
SHA1

5954fee906fe54f8e0e86e0effde1420e2cb5c73
SHA256

d89504dcd16ff4e93cd4858637b7b0e71c845e42b3ee9f59cf03b954ec6a1107
SHA512

12c0300958383159051b86f30989746d6e33874fadb49caa82ee334082528bd618e76b9514f189c654130b8196ae8c172094d7a6a4d5f51a390777a0c0742b1f
SSDEEP

393216:KH/u79aupAJuEfBU8LF2ygBcpugXMsZZFxljgE1bSh9:K/uxawgBU8x2yIcpuUVl8E1bS7

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ObjectDockUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ObjectDock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	objectdockplus-v201_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ObjectDock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ObjectDock.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk	ObjectDock.exe

Executes dropped EXE 17 IoCs

pid	Process
4384	objectdockplus-v201_setup.exe
3544	irsetup.exe
5856	DeElevate64.exe
5960	ObjectDock.exe
3772	SDActivate.exe
5460	keygen.exe
4304	keygen.exe
3280	SDActivate.exe
5824	keygen.exe
5324	ObjectDock.exe
1120	Dock64.exe
1728	ObjectDockUI.exe
4192	ObjectDockTray.exe
1100	ObjectDockUI.exe
1428	ObjectDock.exe
6008	ObjectDock.exe
1956	ObjectDockUI.exe

Loads dropped DLL 64 IoCs

pid	Process
3544	irsetup.exe
5856	DeElevate64.exe
3316	Process not Found
5960	ObjectDock.exe
5960	ObjectDock.exe
5960	ObjectDock.exe
5272	mscorsvw.exe
5272	mscorsvw.exe
5272	mscorsvw.exe
5272	mscorsvw.exe
5272	mscorsvw.exe
5272	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
836	mscorsvw.exe
4872	mscorsvw.exe
4872	mscorsvw.exe
4872	mscorsvw.exe
4872	mscorsvw.exe
4872	mscorsvw.exe
4384	mscorsvw.exe
4384	mscorsvw.exe
4384	mscorsvw.exe
4384	mscorsvw.exe
4384	mscorsvw.exe
4384	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3924	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
3664	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2720	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2788	mscorsvw.exe
2524	mscorsvw.exe
2524	mscorsvw.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d00000002368f-1310.dat	upx
behavioral2/memory/5460-1317-0x00000000002D0000-0x00000000002EA000-memory.dmp	upx
behavioral2/memory/5460-1319-0x00000000002D0000-0x00000000002EA000-memory.dmp	upx
behavioral2/memory/5460-1543-0x00000000002D0000-0x00000000002EA000-memory.dmp	upx
behavioral2/memory/5460-1717-0x00000000002D0000-0x00000000002EA000-memory.dmp	upx
behavioral2/memory/4304-1802-0x0000000000AE0000-0x0000000000AFA000-memory.dmp	upx
behavioral2/memory/5824-1925-0x0000000000D20000-0x0000000000D3A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\Stardock\ObjectDock Library\desktop.ini	ObjectDock.exe
File created	C:\Users\Admin\Documents\Stardock\ObjectDock Library\Desktop.ini	ObjectDock.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ObjectDock.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Reactor\tab_on_top_selected.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tiles\Glass 'GL Series'\Glass (s).png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Caliginous\tray.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Speedy\speedLR.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Woody\woodT.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Power\icons\6.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tiles\Carbon Disc\carbon_disc.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Impulse Black\background.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\Skype.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Data\Zoomer_Effects_2GhostS.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\AniTile5.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Misc Icons\My Computer.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Clock\Clock_readme.txt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\AniTile11.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\AniTile8.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\TilebarMinimizeM.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Weather\icons\38.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\ExpandDropdownD.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\plus.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Alloy\separator_left.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Alloy\separator_right.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Caliginous\background-l.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\Chrome.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Misc Icons\Unload ObjectDock 2.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\ExpandDropdownMargin.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\SDActivate.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Aero No 2 Black Font\TabLR.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Reactor\separator.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\Aero Reflecting\background.ini	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\impulse.dll	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\BlackOps\Readme..txt	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Reactor\tab_on_left_selected.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\AniTile8.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\ButtonWhiteHoverMargin.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\ButtonWhiteD.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Weather\icons\47.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\TilebarFooterD.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\pluginsdisabled.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Simple Tabs\Simple_Back_Right.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tiles\Rusty Square\config.ini	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\Thunderbird.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Data\Zoomer_Effects_3S.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Weather\icons\13.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\WelcomeBtnVideoD.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Weather\icons\27.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\HelpTipFrameD.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Simple Tabs\background.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\Apple Quicktime.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\mIRC.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Bundled Images\Applications\Yahoo Messenger.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Data\Zoomer_Effects_1.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Power\icons\8.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\BlackOps\background-l.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Live Tabs\TabSelect_LR.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\Reactor\separator_vert.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\TigerTabs\Tab_LFT_NS.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\ContentBackD - Copy.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Tabs\K-TEK Tabs\KT4DHtabL.png	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\SilverTray\Read Me!!.txt	irsetup.exe
File opened for modification	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Power\icons\na.png	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\SDActivate.exe	irsetup.exe
File created	C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Clock\Clock 3.png	irsetup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1d.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index2d.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7913.tmp\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index29.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index20.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index26.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index20.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index32.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index22.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2764.tmp\System.DirectoryServices.Protocols.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index31.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP842F.tmp\System.Drawing.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index26.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index2a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index22.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index29.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index2c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index28.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index21.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index23.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index32.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index22.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index2f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme\ = "ObjectDock Theme"	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\DefaultIcon	ObjectDock.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockpack	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\shell\open\command	ObjectDock.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	keygen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme\ = "ObjectDock Theme"	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell\open\command	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\DefaultIcon\ = "\"C:\\Program Files (x86)\\Stardock\\ObjectDock Plus\\ObjectDock.exe\",1"	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockzip	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockpack	ObjectDock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\ = "ObjectDock .DockZip's contain image files that other users have packged up to share, which automatically get added to your ObjectDock Image Library when opened."	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockzip	ObjectDock.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	keygen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\DefaultIcon\ = "\"C:\\Program Files (x86)\\Stardock\\ObjectDock Plus\\ObjectDock.exe\",1"	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockzip\ = "ObjectDock DockZip Image Package"	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\DefaultIcon\ = "\"C:\\Program Files (x86)\\Stardock\\ObjectDock Plus\\ObjectDock.exe\",1"	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell\open\command	ObjectDock.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.docktheme	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet	ObjectDock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.docklet	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\shell\open	ObjectDock.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a0031000000000066585475100053746172646f636b0000420009000400efbe66585475665854752e0000001d33020000000700000000000000000000000000000033532401530074006100720064006f0063006b00000018000000	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell	ObjectDock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	keygen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\ = "ObjectDock Theme Package"	ObjectDock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	keygen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme\shell\open\command	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\ = "ObjectDock Docklet"	ObjectDock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\shell	ObjectDock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	keygen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.docktheme\ = "ObjectDock Theme"	ObjectDock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\shell\open\command\ = "\"C:\\Program Files (x86)\\Stardock\\ObjectDock Plus\\ObjectDock.exe\" \"%1\""	ObjectDock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 980031000000000066585475110050524f4752417e320000800009000400efbe874fdb49665854752e000000c304000000000100000000000000000056000000000033532401500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	keygen.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
4192	ObjectDockTray.exe
4192	ObjectDockTray.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3844	7zFM.exe
5324	ObjectDock.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	3844	7zFM.exe
Token: 35	3844	7zFM.exe
Token: SeSecurityPrivilege	3844	7zFM.exe
Token: SeSecurityPrivilege	3844	7zFM.exe
Token: SeSecurityPrivilege	3844	7zFM.exe
Token: SeSecurityPrivilege	3844	7zFM.exe
Token: SeSecurityPrivilege	3844	7zFM.exe
Token: 33	5324	ObjectDock.exe
Token: SeIncBasePriorityPrivilege	5324	ObjectDock.exe
Token: SeDebugPrivilege	4192	ObjectDockTray.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
3772	SDActivate.exe
5084	msinfo32.exe
5084	msinfo32.exe
3844	7zFM.exe
5460	keygen.exe
3844	7zFM.exe
3844	7zFM.exe
3844	7zFM.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
5324	ObjectDock.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3544	irsetup.exe
3544	irsetup.exe
3544	irsetup.exe
5856	DeElevate64.exe
5460	keygen.exe
5460	keygen.exe
5460	keygen.exe
5460	keygen.exe
5460	keygen.exe
5824	keygen.exe
5824	keygen.exe
5824	keygen.exe
5824	keygen.exe
5824	keygen.exe
5324	ObjectDock.exe
5324	ObjectDock.exe
1120	Dock64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3844	1820	cmd.exe	96
PID 1820 wrote to memory of 3844	1820	cmd.exe	96
PID 3844 wrote to memory of 4384	3844	7zFM.exe	107
PID 3844 wrote to memory of 4384	3844	7zFM.exe	107
PID 3844 wrote to memory of 4384	3844	7zFM.exe	107
PID 3844 wrote to memory of 5084	3844	7zFM.exe	109
PID 3844 wrote to memory of 5084	3844	7zFM.exe	109
PID 4384 wrote to memory of 3544	4384	objectdockplus-v201_setup.exe	110
PID 4384 wrote to memory of 3544	4384	objectdockplus-v201_setup.exe	110
PID 4384 wrote to memory of 3544	4384	objectdockplus-v201_setup.exe	110
PID 3544 wrote to memory of 4536	3544	irsetup.exe	117
PID 3544 wrote to memory of 4536	3544	irsetup.exe	117
PID 3544 wrote to memory of 4536	3544	irsetup.exe	117
PID 3544 wrote to memory of 5856	3544	irsetup.exe	119
PID 3544 wrote to memory of 5856	3544	irsetup.exe	119
PID 4536 wrote to memory of 6096	4536	cmd.exe	122
PID 4536 wrote to memory of 6096	4536	cmd.exe	122
PID 4536 wrote to memory of 6096	4536	cmd.exe	122
PID 5960 wrote to memory of 5124	5960	ObjectDock.exe	123
PID 5960 wrote to memory of 5124	5960	ObjectDock.exe	123
PID 5960 wrote to memory of 5124	5960	ObjectDock.exe	123
PID 5960 wrote to memory of 5152	5960	ObjectDock.exe	125
PID 5960 wrote to memory of 5152	5960	ObjectDock.exe	125
PID 5960 wrote to memory of 5152	5960	ObjectDock.exe	125
PID 5960 wrote to memory of 5148	5960	ObjectDock.exe	127
PID 5960 wrote to memory of 5148	5960	ObjectDock.exe	127
PID 5960 wrote to memory of 5148	5960	ObjectDock.exe	127
PID 5960 wrote to memory of 5220	5960	ObjectDock.exe	129
PID 5960 wrote to memory of 5220	5960	ObjectDock.exe	129
PID 5960 wrote to memory of 5220	5960	ObjectDock.exe	129
PID 5124 wrote to memory of 5272	5124	ngen.exe	131
PID 5124 wrote to memory of 5272	5124	ngen.exe	131
PID 5124 wrote to memory of 5272	5124	ngen.exe	131
PID 5960 wrote to memory of 3772	5960	ObjectDock.exe	132
PID 5960 wrote to memory of 3772	5960	ObjectDock.exe	132
PID 5960 wrote to memory of 3772	5960	ObjectDock.exe	132
PID 5124 wrote to memory of 836	5124	ngen.exe	134
PID 5124 wrote to memory of 836	5124	ngen.exe	134
PID 5124 wrote to memory of 836	5124	ngen.exe	134
PID 5124 wrote to memory of 4872	5124	ngen.exe	135
PID 5124 wrote to memory of 4872	5124	ngen.exe	135
PID 5124 wrote to memory of 4872	5124	ngen.exe	135
PID 5124 wrote to memory of 4384	5124	ngen.exe	136
PID 5124 wrote to memory of 4384	5124	ngen.exe	136
PID 5124 wrote to memory of 4384	5124	ngen.exe	136
PID 5124 wrote to memory of 3924	5124	ngen.exe	137
PID 5124 wrote to memory of 3924	5124	ngen.exe	137
PID 5124 wrote to memory of 3924	5124	ngen.exe	137
PID 3844 wrote to memory of 5460	3844	7zFM.exe	138
PID 3844 wrote to memory of 5460	3844	7zFM.exe	138
PID 3844 wrote to memory of 5460	3844	7zFM.exe	138
PID 5124 wrote to memory of 3664	5124	ngen.exe	139
PID 5124 wrote to memory of 3664	5124	ngen.exe	139
PID 5124 wrote to memory of 3664	5124	ngen.exe	139
PID 5124 wrote to memory of 2720	5124	ngen.exe	140
PID 5124 wrote to memory of 2720	5124	ngen.exe	140
PID 5124 wrote to memory of 2720	5124	ngen.exe	140
PID 5124 wrote to memory of 2788	5124	ngen.exe	142
PID 5124 wrote to memory of 2788	5124	ngen.exe	142
PID 5124 wrote to memory of 2788	5124	ngen.exe	142
PID 5124 wrote to memory of 2524	5124	ngen.exe	144
PID 5124 wrote to memory of 2524	5124	ngen.exe	144
PID 5124 wrote to memory of 2524	5124	ngen.exe	144
PID 5124 wrote to memory of 3496	5124	ngen.exe	145

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Stardock.ObjectDock.Plus.v2.01.743 [PeskTop.com].rar"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Stardock.ObjectDock.Plus.v2.01.743 [PeskTop.com].rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:4352538 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe" "__IRCT:0" "__IRTSS:19467629" "__IRSID:S-1-5-21-1904519900-954640453-4250331663-1000"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Stardock\ObjectDock Plus\folderperm.cmd" "C:\Program Files (x86)\Stardock\ObjectDock Plus""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\SysWOW64\cacls.exe
        
        cacls "C:\Program Files (x86)\Stardock\ObjectDock Plus" /E /G Everyone:F
        6⤵
        
        PID:6096
    - - C:\Program Files (x86)\Stardock\ObjectDock Plus\DeElevate64.exe
        
        "C:\Program Files (x86)\Stardock\ObjectDock Plus\DeElevate64.exe" "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5856
- - C:\Windows\system32\msinfo32.exe
    "C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40F1B7D7\embrace.nfo"
    3⤵
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of FindShellTrayWindow
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\7zO40FC3808\keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO40FC3808\keygen.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5460
- - C:\Users\Admin\AppData\Local\Temp\7zO40F60B19\keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO40F60B19\keygen.exe"
    3⤵
    - Executes dropped EXE
    PID:4304

C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe
"C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 21c -Pipe 228 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:5272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 2d0 -Pipe 22c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:4872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 224 -Pipe 21c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:4384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2e0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 224 -Pipe 234 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 2cc -Pipe 2d8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 224 -Pipe 300 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 224 -Pipe 2e8 -Comment "NGen Worker Process"
    3⤵
    PID:6072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"
    3⤵
    PID:5020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 324 -Pipe 2e4 -Comment "NGen Worker Process"
    3⤵
    PID:4520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 320 -Pipe 31c -Comment "NGen Worker Process"
    3⤵
    PID:5824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 2dc -Pipe 2f0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 2fc -Pipe 32c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
    3⤵
    PID:6120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 30c -Pipe 2f8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 224 -Pipe 318 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 334 -Pipe 224 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 1cc -Pipe 2dc -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 35c -Pipe 338 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 320 -Pipe 2fc -Comment "NGen Worker Process"
    3⤵
    PID:5700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\RenderPanel.dll"
  2⤵
  - Drops file in Windows directory
  PID:5152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 0 -NGENProcess 228 -Pipe 234 -Comment "NGen Worker Process"
    3⤵
    PID:5116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\MyDock.Util.dll"
  2⤵
  PID:5148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 220 -Pipe 22c -Comment "NGen Worker Process"
    3⤵
    PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 238 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:396
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe"
  2⤵
  - Drops file in Windows directory
  PID:5220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 228 -Pipe 22c -Comment "NGen Worker Process"
    3⤵
    PID:5104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 2cc -Pipe 238 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 228 -Pipe 2d0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 228 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2e0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
    3⤵
    PID:4056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2f4 -Pipe 314 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 300 -Pipe 2bc -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2ec -Pipe 318 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3576
- C:\Program Files (x86)\Stardock\ObjectDock Plus\SDActivate.exe
  SDActivate.exe -prodname="ObjectDock Plus" -prodver="Stardock" -appid=1169 -sigpath="C:\Program Files (x86)\Stardock\ObjectDock Plus\sig2.bin"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3772
- C:\Program Files (x86)\Stardock\ObjectDock Plus\SDActivate.exe
  SDActivate.exe -prodname="ObjectDock Plus" -prodver="Stardock" -appid=1169 -sigpath="C:\Program Files (x86)\Stardock\ObjectDock Plus\sig2.bin"
  2⤵
  - Executes dropped EXE
  PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:5336

C:\Users\Admin\Desktop\keygen.exe
"C:\Users\Admin\Desktop\keygen.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe
"C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe"
  2⤵
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    PID:5908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\RenderPanel.dll"
  2⤵
  PID:5988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    PID:544
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\MyDock.Util.dll"
  2⤵
  - Drops file in Windows directory
  PID:184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    PID:1208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe"
  2⤵
  - Drops file in Windows directory
  PID:6132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 0 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
    3⤵
    PID:5308
- C:\Program Files (x86)\Stardock\ObjectDock Plus\Dock64.exe
  "C:\Program Files (x86)\Stardock\ObjectDock Plus\Dock64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1120
- C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe
  "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe" /generatedefault
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe
  "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g-xn1cpq.cmdline"
    3⤵
    PID:6120
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED12.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED11.tmp"
      4⤵
      PID:5228
- C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe
  "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1100
- - C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe
    "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe" /detectver
    3⤵
    - Executes dropped EXE
    PID:1428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hadccipf.cmdline"
    3⤵
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES373A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3739.tmp"
      4⤵
      PID:3436
- - C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe
    "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe" /createpreviews
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe"
      4⤵
      Drops file in Windows directory
      PID:4960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 0 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
        5⤵
        
        PID:4996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\RenderPanel.dll"
      4⤵
      Drops file in Windows directory
      PID:2924
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
        5⤵
        
        PID:2432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\MyDock.Util.dll"
      4⤵
      Drops file in Windows directory
      PID:3416
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 0 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"
        5⤵
        
        PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe"
      4⤵
      Drops file in Windows directory
      PID:5100
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 23c -Pipe 248 -Comment "NGen Worker Process"
        5⤵
        
        PID:3260
- C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe
  "C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockUI.exe"
  2⤵
  - Executes dropped EXE
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stardock\ObjectDock Plus\Backgrounds\Zoomers\K-TEK\Readme.txt

Filesize
72B

MD5
3599705ebe4ab404b848c0f38220a713

SHA1
fc3e7140d923fa81b10dfe749025660d1c9d9249

SHA256
fa66f6b730756088afda83efda0e490f204c646e8fee3ae36ade6baf9c7a3d08

SHA512
b33b6f1b074a804ecd7af8cf57bae31fc4d5556b3ef45fb77b4c07f9b6ee8329fbcde74e3585e4a954fd01c7f75b1061ebe4a9fec1552d63316c353361d368d6

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\CrashRpt.dll

Filesize
789KB

MD5
a76d9b503116680a7919dcf4e0f87fc8

SHA1
01755d3132638a786f0b6783b19372c4c4b4f295

SHA256
2b30134d04b7838327ec3cdb13ccff08241a670e1fe7e5e11100a9176ad2c132

SHA512
2abdd049d9be8080d681001fc6bfa4a16d78335ff5c421ea84600f392c123e4743345b0e8ccbfd0ef9b707893574b14706587a5cdf2db47f3d594a63b6696d82

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\DeElevate64.exe

Filesize
10KB

MD5
77f4f5243e1f2eab70e253e138488754

SHA1
6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

SHA256
22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

SHA512
64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\DeElevator64.dll

Filesize
9KB

MD5
db9c3e098d91c9111d7523de0aa9c221

SHA1
37d0bea36b530d1038929a0d3a9df093e949fbae

SHA256
c2826461686e08bad7e2832eef739601e265c57deedf172816a1b356de2b0968

SHA512
889e62bf24198f81cfb13e4364e6326dad05ad31cd2a5c3f8d40cfbd1eecca3a10a7a8b5eb6e87f98dd32c200d35b66c6f78fb55fa6476e0786d0e307b542ce0

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\DefaultAppImages.ini

Filesize
12B

MD5
341ca702d48c433d9170309072478dfe

SHA1
d09555d74363d65ee066d1e9a7f64caf95eb11ca

SHA256
bcd57e2d7900d552aef8d74cc2dca7f0a28e3adb95ab139c6878dee52da8d7f9

SHA512
6a99d21920a2a1bba7addca5ed667a9a9a291c4c0a473881d6e77df3466fc7442325947dd6c2dc5cceaba92a03fbf8a47ef0aae844d2fa25e22653ebe517d7b3

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\DefaultCurrentTheme.ini

Filesize
3KB

MD5
d6557814b9a02c0bbdbb489cab5d7adb

SHA1
76808bb32ce7f1ef0fadeeeb280f9841c9441c36

SHA256
1782f610cd07cdcf47bceb5c6d84d70889c12262dfece2d09ab4fd9957ec4812

SHA512
229c910eaf2790abf3718df69874951f4845187bbd4260fdcc5d52d2a77b1dd0294cf746f1609314d8fb18ba30b7cde30c7e4d93aec68435de60543920d25d4e

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\DefaultSettings.ini

Filesize
1KB

MD5
5141b80710b9850ce8f12ef41b7eb981

SHA1
f8fdc410cd054f237c3547c29a0e603a5232ebe7

SHA256
3dd15ac44fe045628dec49372ee1ccc4623cc227419a96ceca39e6dee0ba6274

SHA512
2650678473d9d614f64965456319568598f359c77e0be7970b1adc890aa151b3eefa217925c36a3adb5bcecdfb81fdbf9847afe591dcdd446ce8dc3f122ab379

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Docklets\Weather\icons\04.png

Filesize
17KB

MD5
162c7388735d7bdc655ad47623db1e1a

SHA1
43356bc876b8dbcdb95e80ce544b863d6d05c7ce

SHA256
4113b4cbea36469404e633ce40c006ed74fd6a45d667f8ea98cece46186700bf

SHA512
3f49f259912326690da5756c44f33983a466814073832c705ad3a536deb3b5665576c521c7069db2bac404677267a7e12adc3ed171242f939f05f5da3c9dd793

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\MyDockLib2.dll

Filesize
247KB

MD5
9a0621801ec6ee32d5231c2aed51cda0

SHA1
6dd65f5cb05be764f5978230cd80f7e1317bf91a

SHA256
f4a0b470c01702eb88a22c9ed843415254c5c68536f175c1906cfdae3f5fce03

SHA512
f9531fa6a6f40181df9bd7b8c686f865117248fb72df4180d47cd289f6884148d46576bc2740d34e0622d8a6fd3772b2e100c1577d1301c2d8a0fb8057b033be

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\MyDockLib2.dll64

Filesize
304KB

MD5
6aac71395088bbddfc7a5d7cb5fe9d56

SHA1
ac7139c966c4c78f60d2494d1c05990c9dad9257

SHA256
5caa9de92703390370d336f4762b8a7f6910891a8c249aac91ec3c032e51ad3f

SHA512
7cde29d24f1f879327850d608406763fea07e8ad3a851c2064fc4e444c356cbf5f294941db5a54eb07f77787b10adcecd0f0470b953bc4b09007ebb06c2f2d19

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe

Filesize
640KB

MD5
442273d4f11cb6c0402da85d7266168e

SHA1
6e30de32d5d13ac5fbae75f1ca136d6c560f3382

SHA256
b1ca98ad8a823561b191204389567ed8a8828bdfc035fc616906bbc9a4497742

SHA512
b40dba1647351188508c7dcc01cbba71de34cb6f915a7d576821a9b7f8ef78e14a64be69c3643421ba340c72d1bc1d8b171ffba995a85077dac5b2bcb8588058

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDock.exe

Filesize
256KB

MD5
848297f8985cfbc2f235b5466bf67a46

SHA1
c0a9ee697ed11c00b96a58a1f083b93a29b7da6c

SHA256
4515a6b7b635d4dab3f5b9ff39b7d917e06192d0844e2e0093b45a6dcd9b543f

SHA512
1e43bc4450fcfd439c621228a3a712240bb375caf8b51d28cf13db5e55ee5241f492aab8db653fbc4a30702ecc7bfad811b6cb15981d0c19db02dd3262930a32

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\ObjectDockTray.exe

Filesize
290KB

MD5
8cbe1bc81d4e0395cb73717c0316fa38

SHA1
119ac232be0dbbc844d0c9c2a961b746008cfee7

SHA256
a2e2ee0f6a5e808b12da14366c23857b8d810c7e0433a3c305e04b1a23568026

SHA512
7110aed5af7a321e2fcd94847a69883da6caae702ac06b95f81283217242f0be95a8ba31f602154b020b5000a50eda609ed3b3fcdb5602207599909bb82fc791

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\RenderPanel.dll

Filesize
104KB

MD5
2b923ab0cf48501a8f973adb4483354e

SHA1
c0fffaaebd2f6cab93295c562c6ba35164539765

SHA256
280738660d578dfaea4821a55254e0aed338df2206c40a43131c1629a1fa53ad

SHA512
a66eddae5510dae38ef450d5b2f94a2dfed6f80410986e166f20cb66d31e29db16713dfbacb80c7981ff9551a8ea5b003ba32d39b6c9f45e8be20d52d1a74be0

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Running Indicators\White Circle.png

Filesize
785B

MD5
465f43487a261be0cd25cb0fadd9443c

SHA1
78f7427b9c3fefd7507602bb3d0cd7cbf9ded0e8

SHA256
d82d81e052001c705e5080447995ab28c24c21c189a7a4435040a0431e08ed8e

SHA512
4fe7654c2d82b3e96abb239e4d5f8df0ca9a2eafb8a58563097230b2bfcabe61adf54e94af92c322689ba79ebc5e877bcb963dfcaa822f1d95766619b4755609

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\SDActivate.exe

Filesize
422KB

MD5
3109ac014e1470d70c5873e919526dfe

SHA1
7f5031e2172ddbf5a6414123bc1958fb96bd5718

SHA256
4195be509532af0c2768bbb9e88ae8f1fb2e0fde9c677c37488f7bb83c3da334

SHA512
22d357fd7f1b4039c09092cf9f89b5f3ce39e71fa4d22792671cd96fb13a605170936b6051c49eeb3d2bee013681777c9de299136d2ddefe4210649d2e0d0060

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Skin\UI\TileMargin.xml

Filesize
252B

MD5
65e632f9841c361a062730aff84d8842

SHA1
8e9381aa82d50584107c2ec019d300490c466ee4

SHA256
e49c1c53687a8ef5bbfa977a288c6050e7a90ffd65368fc25633d0eaef28772f

SHA512
1b0d0d96c6e722688176c21646b782798cae176db28bc91c7794ff788e6129963c3ef15a622249674492fb1c7e76b44f06dfafaf3178f200af1785dcde2eac73

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Uninstall\IRIMG2.JPG

Filesize
28KB

MD5
ac40ded6736e08664f2d86a65c47ef60

SHA1
c352715bbf5ae6c93eeb30df2c01b6f44faedaaa

SHA256
f35985fe1e46a767be7dcea35f8614e1edd60c523442e6c2c2397d1e23dbd3ea

SHA512
2fbd1c6190743ea9ef86f4cb805508bd5ffe05579519afafb55535d27f04f73aa7c980875818778b1178f8b0f7c6f5615fbf250b78e528903950499bbe78ac32

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Uninstall\uninstall.xml

Filesize
143KB

MD5
80270b4ab69d07150b63eb7ebf6b646d

SHA1
1fa5abe1b4ff0baf07d4018a643706b9a2ed27f2

SHA256
badfb41e55141c1052b47ca570920d9ffe31c3020e28097da8d53bbe40324a45

SHA512
3bb80292cc5e676bdeba51735d1b48cb0f70edb8492a76e6272b139e1fc6b2820e2b97f8984a904a5b823484a59f0bfd1846428a568b16a394d0922f6aaa1180

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\Uninstall\uninstall.xml

Filesize
153KB

MD5
664be3ce30445c70938404f6b4c0f97c

SHA1
c99719875f4d80c582967d4baaf60d410a0fe15f

SHA256
ba6364e2e0c1081308c01b27d55e294578d25e01e9d63ac5e64fb798ab922884

SHA512
843b2d6da64adb445b23415b5f11d342404c23913891c87390fd4423f361b0803a2e4e9fb16df1f210474ee556d270ab38afdd46ff5dfa6ecec31ac149a3103f

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\dbghelp.dll

Filesize
1014KB

MD5
148423fdbc7f0b07d8d166414c95b8ab

SHA1
aec78b99dbfff5071f9dba74117ba6e5228f89f6

SHA256
72877fb0af03745e2a78414ddaa05f1871703ad4c0d16d43d4ae62971ff52f0b

SHA512
82f0ce44858bdc4ff3522d8c7853c073d33dacdec53d9b9b31c32be3f4ded2ed102a55dae316611b9359eedb24b3aa698474c39b989c15231b3cb8fa79f1cc59

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\folderperm.cmd

Filesize
25B

MD5
d43f1611f19c18eea620fd5312524182

SHA1
63c14604b3c5439bb29aeade3280924d4f6cd86b

SHA256
2e46be7d1da9afba897bc6107ab05b754b8a4e9aca193257eef9f1c13815144e

SHA512
002b37eb9ba0ebc7b95959918f925a9d0b509604aa5f59026c835d6f7540ea8fba42dbe2663bf303093a12025a9c5e115475a70f38443783a3f3475daf9ed2c1

Download Submit
C:\Program Files (x86)\Stardock\ObjectDock Plus\zlib.dll

Filesize
52KB

MD5
87eddceb9d22c129e386e652c5cda521

SHA1
0447ff30dfe7a5234624ea21a6947e88f6e80054

SHA256
792d768258eddaec86d9263e51ff64ee6f0bed2f28205f535ee150e94f8d6a2b

SHA512
83ae55dde165165b8001463cb3c4b3713ddc5108a68af5289055bdb10b2c10f1338e2eb6337703edc299e375f9c9f04e757d92eee535994ab61c841e2dff78ec

Download Submit
C:\Users\Admin\AppData\Local\ODUI\ObjectDockUI.exe_Url_smgn5ugfwb4p2f4cxt1pvrerrqq4paih\1.99.0.742\5b_3erha.newcfg

Filesize
789B

MD5
f82d19afe9d4f1e054ee0bf0cfb24929

SHA1
581b8efbebe2d57a24ed4ceddd5ff5551224bbfb

SHA256
a104cad6b1e3d2c809769a4efdaf9ea0ab49b9ea537cafcb00a476740c5d3370

SHA512
617286fdb8aa1f2466e150677144d8ea5fee5316174bc6ebb0c3f39d9789d81d518a7ec5f420a6466b592f12785867933e69772b72e661f9f4d4b5691e05bbfe

Download Submit
C:\Users\Admin\AppData\Local\ODUI\ObjectDockUI.exe_Url_smgn5ugfwb4p2f4cxt1pvrerrqq4paih\1.99.0.742\na9bwhz1.newcfg

Filesize
789B

MD5
028dac28f5e643a2854101f6232a09c4

SHA1
3c0b346a8550f651dd38c46d683807a5557330a1

SHA256
ef79a03002be8280482a92c46ee050c4f7726cb8ea9219882c640bcc7b18a2bc

SHA512
985c204ffee99a28c9658ea5eb87662657f47d034e6b26f872777eebeb4163bc7559663dbc1e77f080a0df3042bf69a1c9ac2885c425aa6fb36a271411737238

Download Submit
C:\Users\Admin\AppData\Local\ODUI\ObjectDockUI.exe_Url_smgn5ugfwb4p2f4cxt1pvrerrqq4paih\1.99.0.742\user.config

Filesize
789B

MD5
ad317a9c257eeea4ac69cc200ce80f5f

SHA1
2377f4575c92e1cd277ae4783e05ba32056616e1

SHA256
b4747dedb7865943aeb677ebe540b4be64c0e0d1ff5cc8634d8695835afd5cbb

SHA512
ffeb0e93185bc0bddca36867a89ad3628ca465600448113c73cb2f942d53d4b6e65dedfdcc6f6fcd3d681eb081986b885a5029379b57abe111a7a8fc78ceee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40F1B7D7\embrace.nfo

Filesize
9KB

MD5
2972a0a2a349c43fe0771ad2249ca0b2

SHA1
d04b8226a71aadcb4c47cd6bff58f7663ee1a549

SHA256
23c05b2ea3884ea987f5468d946093978b3af2bee6fdff52ea1f48eb7c480b5e

SHA512
1f186687af868cdeabd5a98785d325d07f91c70e8cd94711edc69bea1fac16d0898c71dfb200663777a5b5b7592f255778142a26685a860c6a34496eeb0d2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe

Filesize
128KB

MD5
acacc88178004f078eb677a5c596a34e

SHA1
0b3098395df2f0d93bc6bce2d1c045527f95b358

SHA256
8fc97a7f5050ba3d9f5927c9b92a3c080cd202b8a1be7a205d4af6c3b92fcbb3

SHA512
142d5948b9b3d9f0444124173e89f81c3fde653777b66eb0633408eddeba14a38a4532fc4c9b63e34a24bb7261ff16998235fddca0c3bbbe38ef818295eed778

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe

Filesize
8.1MB

MD5
55778b9321880d8e4d41be856428641e

SHA1
4cf506eec5e050f8d7a557254b29345fec00b28e

SHA256
ca35b3b6db6dad7a9c77ccbaf9d781b57409a7f871aabe18b3d2a5bf81db37eb

SHA512
131e82e5cc6f7f343d3bd12d25dc365f4a249f777bb991fe26edf2c5c387f39e34fecb05fd4ce344c97284e2bc78c75fa57d4a4cf745d5caa46cc9f66cc23130

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40FC3637\objectdockplus-v201_setup.exe

Filesize
10.2MB

MD5
d0f53974157b7205a8d914f726fc0a19

SHA1
c919a97cb069951710b695b6f267e72d9b8454e1

SHA256
10187ebc0147fe46abd9ebe6c1eb55a3ca7dd3f7ed0de340511eaa67218d763f

SHA512
bbc6691a2469a0cc4ab07bab6762e6ab7b46953b55dba447bafa42516efe65bd076c65e92e6b80cceddb702427a411e4caa7debaed6f901dc48876900209be06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40FC3808\keygen.exe

Filesize
47KB

MD5
24b602e342921adbf19a27b79b804492

SHA1
8ee94d0f47dd95478ba530ed3a95a851585590f6

SHA256
66c6d4d5396e136b7a02da63bb714f687a5cdd219f13a027de8adf0846f3d3c5

SHA512
f770ae846b9ccfd1dee071e23cac293eaa6424443f8209a429b188f8817f0740878fdc337b4f9d50573a64aa26402a3f8656fb10aa1e7d8422d2e2799ed6b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
3.6MB

MD5
f9f5ff16f32f35a9f65a5a8689af4dce

SHA1
2d4f197dd8cdc26e4e2e30c3770def9ecb6dffdd

SHA256
374bb48c9313ebb5dd39cdddcd6ce2522c741f0575de6683410482b5b095dfa7

SHA512
aff9455a8724efa648685dc979ea34635e8c744bf6887675cb460d13152e653374671f662047c06b47872d9fe0007f10db842d0bcd9ef9fa938af130164c59c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
56e2cb184a24aedb473880462197cac4

SHA1
91aa64464fa96fb5de4c45718ecff507a3ab3fb3

SHA256
1dee56b3376f69bf440ab1ac363bdb5a1b7860620306b48a6632c2c3c9f59d59

SHA512
d51579ce41f128b2fd76fd1a047d7a7824238845a6abe459b55da76b5dde085cdeb9d3ee6408d4eda5579b550db8af05b87644a55cda2f436beb6ef3486debc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
44KB

MD5
3b853e9e98de194b25b4e66c70f0b4e2

SHA1
b6d475ccdbc3bec9163d986c124157e3746c9fc6

SHA256
ce36b188abb3bb95e9b21bb25f0efe84918197fdd7350d9badc07081db43fe64

SHA512
79f2f522be0f9864a5f1d2fb8463c2a0cf1990f99f4f6f3eff210f23e39abb8090a78cbbd30bbbe3e15467a1178b1fe5b94d18b446f8f566be32fa640439c0c7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
44KB

MD5
7a29134026718cc5a7a4e18da89d3b12

SHA1
8c9045c5c8340549973e47621ffee8530627b7d8

SHA256
4d1b903bac2a13e6cc8e29188d2bf1bda098edb936b0a8a1b83d24de74e15a39

SHA512
29bee78ee0f28f1b41d0cec1c1d3276855d32b182720e5a2e418b0efbdd0823b24d5fa1e3c5d3e8adc6da4426cec35224bbe0a881be7c43fa65e3fa9c7ee2e5c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
45KB

MD5
911a965e9b282d71593af7455692cf10

SHA1
0f5f30ae687c3eced5be9654740e961341b64c77

SHA256
e5a4be8ad6375cae5bd25b31f09359ebf7ba90660d1cf9d2b3e33561e979bd6b

SHA512
ba89084d7e3545f2cb45e119c7de4df42607a66105d4c4d86c48f9a3388959db60c9a2bf0357789238b03b4e1c0e426c0e9cac20165157feebf9d1fc4238e79f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
45KB

MD5
2837b7119b8317dfcac184d2c79322f1

SHA1
57505c795172e26fe388f3829273a69ffe0668f6

SHA256
69fdb4d1a39f5e0d43c1c6b4dad80c67c44195ea8314cda08d601f0540e8f639

SHA512
5d6469df082408efb61a5bcc047bca6377e7be9cdd436bf22801e0cbb96790a11022fdfecdbcf5ff9f9848a5bdb21a30ff2d4875dd73c7a5b87769f0d4eac07d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\2c68539db75e583ae627fdd72a15be71\Accessibility.ni.dll

Filesize
25KB

MD5
c8c7a383ceb4c4d1df55308ba44f75fd

SHA1
7a90edf7bd4488ec42efaabb51f5c9c3560db8e2

SHA256
55588bf1f5b0979b2efb09a755d5c6827946040e0ff8a118d8003377c26d03d8

SHA512
669b5adf2bdaa29449bd771cb5ee2aa5b48ea8bf67ab7a1b76ff8c31942bb4e39a86b7b8d173624538bd5ef8998976b6ace905894cf68f14c3da841520ee4fa9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\574e82db6b0f08cfa6c354a8c530eee2\Microsoft.VisualC.ni.dll

Filesize
15KB

MD5
01d23f6812fe23c0ce53c3fd1e1d1f34

SHA1
943b6ad66eae548473d9e093a35290e421de7a7d

SHA256
32a2b9d92ec3446635a6f9cb21acfb662ba5a1f1b5e725d6ec763438426a9962

SHA512
7df32aa18e90d856e982c555d040e7ceabada7e127a927ac7962d6276079d3e1ab9a1e9a824c67b7a0805ed3c4015de41b9f6b133af956def360dd8485cb9e7e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WindowsAP#\118bd4c522949d6b36e24bb6f84434b7\Microsoft.WindowsAPICodePack.Shell.ni.dll

Filesize
2.3MB

MD5
0656d7a95ed736de97adc784f0b18387

SHA1
193f7da77d7f9e7a9f8c59534f090a24191ab822

SHA256
840fc12bbc617b7d7c81620e598b6c857696646643c4e625b4bc8b8ad8e6bd9c

SHA512
88f6a41aee53f017fa8e79138ebdb5df29e216ce385ab24a91b3c98de63f3ba4dfe360ace2b4f25019cbefa2856bdb735c5a386c7ca08bd44dcfd637a232b97f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WindowsAP#\469887ac3dfaea487ad14ef99196b6e2\Microsoft.WindowsAPICodePack.ni.dll

Filesize
350KB

MD5
745e712a1eef350e3479f1473d6e95b9

SHA1
c84b1c6bfb7624ed319f65ba901afef93a1de987

SHA256
3430644008f1730e94d9d10668235493b01336d14703fa1bf30ce70937c47f5a

SHA512
9f72cca0ecca6ae0578f718e646a4d157d953fc1a723a8aac14ca17e773f6a3f80ca049027eab52cfc11a6098b2bae5ceba2e1f71b7254cb709d503ef562bed2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\c6bb155c52445d8004151eea1796007a\MyDock.Util.ni.dll

Filesize
245KB

MD5
755dc0fa32f76f27d92ac0cb32a8e4f0

SHA1
6e437007ced2dfbe7c6ba3b8b0e29151642b1812

SHA256
af65ad6c7c0132980a7fd063273ec43b1a36e8e7d9ba0ef516cce6868d5c06c4

SHA512
f8f04c403089a1db8f1ec89a2e7f797cef837a6dd0cb226aa2c56689e377c3bedcd7bfd88c110cf73c3fd3b7402e47abe98ff2289d35eb055d05c923d081944b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ObjectDockUI\1f4e0cf0be3b9003936683b3df6b62ce\ObjectDockUI.ni.exe

Filesize
4.1MB

MD5
c594e7734a8d09ba6824204b608ef29c

SHA1
9deb932b55b5a7be571ed12b031a912cf5dc75ff

SHA256
a01b7a5ebb839c5a2553ae246500dfe46fb678f3a81787fbe29ee6aa640e125c

SHA512
f234d6d9bf8ea33af55c2785c1ec487bcd9a65f7d410d81f3f954ada10cafc79889314f11fba214cef6459f2fd4b62daf6a801796e93c45a1d624ea6e68d526b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\e89cc425f0bc4e0f44ab5f0cd7632be6\PresentationCFFRasterizer.ni.dll

Filesize
38KB

MD5
d9e514a72ca4ba5fc9ba9013b36bfb22

SHA1
c191e0c176e6045d3e5b33868158c61a756fb050

SHA256
9f0d5bfdb07e8dee85736cc6c0789ed3896e477785812a31f8e3deccf9aac1eb

SHA512
66d60eccf2bc45942e7ec24104729d0f22f18be3231c9fdc50eda2d8a0ffaf01a93158bec42e4f7df8ed758dba8e86a9c9141af384f264fc7963a798188e00d6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\1d3b47b4707a271625a8f87c961d9f95\PresentationCore.ni.dll

Filesize
8.9MB

MD5
edf381a9b7ce2e40341b64c6c9462772

SHA1
27e95e00570ee75ce42e235313fdb187049a29a6

SHA256
0187b756a25fdf440f84e130dd95cae8be55dac510a462c196d8a208265234c4

SHA512
712ab31246d7f3dac780709f4f2a69a2032570b6496314c630c8099ecd22855d33273c92287f9d2cde060c737502d74d3d7e868ac1531efb453747b33305fd1d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2d7349eca06f71292dea08a2fe45349a\PresentationFramework.ni.dll

Filesize
2.6MB

MD5
ecc2198e786858c7b76a5f68ec721b75

SHA1
35803fda26400cac772b1710bdb3a47500e1f294

SHA256
b7099f6777de0a9ab203c98e1bedb581c5107483b8bdfcc374e6c443da38b5b6

SHA512
6961591bb32fb1181a8ea7548a46af92cd711f40048e8feefb3dda1e6d33ee222c2079e466eb5ed76a23ef711a3a7ce3d3759676ad17b6e4985eba68b4f99a8b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\623ae6ceefcea7e940d78a9ee6884bd0\PresentationUI.ni.dll

Filesize
1.6MB

MD5
4ac1cc83aadc6fe5f4c15ed2c05c410a

SHA1
62221125e7f33da63ddd45a6e690dcdaa5c1ca4a

SHA256
0f37c5d39fe781e182491f6bec8eacb8b4c3535bed34b9567ce4aee7a82a2e83

SHA512
53c78aa45809a02c98143f5cbb82807565492a17f9823b91bd4a57cfb83c6c41deaf0a230764da5a3614d16f1812d609f57c89f9abe7f5de084db5b6972d3178

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\6bcb60d59a75db714efac01f1b83a5a0\ReachFramework.ni.dll

Filesize
2.1MB

MD5
8459770ed535e8c34a805c55734ce19a

SHA1
1f380b9f3c6efe9a2120a7061732c15cf9d90aaf

SHA256
25c69d7126c551b708e5257b131569ca1966951358082daac084b529169a6d36

SHA512
e46e00ab09e3e22bb2c2263a71a901175f5b30f2fdf89b96f78313ef7c5bbbd9ac0e7e18a86683c1a4a43aeb9f4d22bf06e77bddfebe9e7b3f68d9b3af934420

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\RenderPanel\acb0775cba462213e736bd9a8b9ac6c1\RenderPanel.ni.dll

Filesize
430KB

MD5
3cb9c0f3ced65b8ae73ec4bfa0ceea41

SHA1
4e46b7bcaf09ea1b43f7db11882f7a46eb00d6e8

SHA256
bc6d39edc78e36488ecd103e7407f75976421366a910a37b9061c93e6f10d1c3

SHA512
a4ae8b706e34858c4e9c5d4d494df5e45934211ad53ff1553345ae8979eca16d69da24d2db82f9aaee2689e89cd24a3db8e844777d06a5176a0d2f932f210369

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\611ffd8fff7c0284ff774f1020615bfa\System.Configuration.Install.ni.dll

Filesize
138KB

MD5
e038d64d34bc584a554a6281edc8c228

SHA1
ad4c9d87357531c1978ec5855023bd80a37a7895

SHA256
3fe4993755e07639419a3905f331abb6dc156968c6f2e49bcd14156d6bf729e5

SHA512
f09c55227ab5863d0688a53fef584266f690c60d1d16fec5e60f9561dd14862059a59778975a143fbc8725f61b173efdcad90f6b3e6636c20c72fc6a543e1385

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\0e0f9e36df1c27f4678f09942864c9af\System.Data.OracleClient.ni.dll

Filesize
1.1MB

MD5
0ec47acd4f820931ab96d7ebc524e9ef

SHA1
7305e6b9de6dbcda8b0d9ec9aceb33f35181c03e

SHA256
5d24f91ebb1824af1d1b61ec43d3d50f025678570b5bf3f873f41e0640e36dae

SHA512
28f59fb366caf78afbe149c2a612b9aa618b2667b3f93da814f3b848dd17ca9490fd5154a1ca64a12d62033bbcd5be6b777a3b6861b9c7eb52fe1ab5796a8547

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\93790475cf292f83edeb27ee6447bf51\System.Data.SqlXml.ni.dll

Filesize
1.3MB

MD5
19416a817b482955560ca0fc3f5a11b3

SHA1
cb5f6f218aab4d4dfbb8805f210df5bc06233bbe

SHA256
92f0f546d459495994a7813d5ac8abf9fa888241506d7efb54c7a72ed3c045b9

SHA512
226cfdf2d622efb87d5714171902d1308f26272dfa58a144e633e6bb93524042ed11c583c55fe2ff1f1eaf1a63d182eb92086eb72f97c882f0887d59fa521650

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\eaae44035dbd83a24255786d2aa9eef1\System.Data.ni.dll

Filesize
6.3MB

MD5
0e5ef58a5c1ef441d6203b9646569ae7

SHA1
65874e3a59eeec9bb8147e4f459a303de91c4100

SHA256
548f3755733ca180ea1a4e7782dcbc17006922b80586e9208b413be95d2154da

SHA512
a1537470ad190ffe22bbd08d330bf3123a9ab20fce35270588c0bd23dec475c8a64acea1c4872c47d6f3dfdaca42886890e05d8f822373fca0236fc5762089da

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\6a2516126ffd58d75fd9b63d965be6e3\System.Deployment.ni.dll

Filesize
1.6MB

MD5
858999ee084d930465c568a31bad0fc1

SHA1
9715cceab0b7341646d15000394924481a157c2d

SHA256
9cd9d565f993759fd579bd153782d66332a6df9d4f38668fc0612d5fd6c3efbf

SHA512
8348d3c78ec084f18a906d5a17a1bb169b4bd28fc31de413f0340cd12bc94427a23d410a81ae952bce5a5abe837f0210dae778d95ec8ec23098d204badc563d4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\b345b1f734ea3aea3540caf55869215a\System.Design.ni.dll

Filesize
5.1MB

MD5
dccf06ab5bc462d791683e2ef03da5ae

SHA1
1b83e3db2f7f3b2c15a1f2cb0fe49896a26bf596

SHA256
1cb3df129bd033ac9cb309cd5ff55621e1f8f3581874cc03ac1375782a2f770d

SHA512
5d8181a8620d8ace44cacf72130f9fd388a8f585a9f3819db53d7e7bbd6666691e2fa7d1a6d4dc985dc142ec5d222b42022089fecf8fb7bd1fb62eb9cc46e920

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\16ebe8df2036040bf7b16fbb0b441d63\System.DirectoryServices.ni.dll

Filesize
1.1MB

MD5
83549945235b83efb6078a1bb43a5ddc

SHA1
eb3b8496948c891b07376222a058f7ed2f863799

SHA256
f8cca9ed968d1f6244dda022faa84032e6ebec36168d4fb396ad8d01597f356a

SHA512
e55e4baf49291b160f0dce9ef68ee1328496d3263a0469c4c65b7626d6f1a67fa2798f4b47d1991201743033c95421c83fc3ff836aca7b1e65c18bd073eb0f79

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\2d96546698256d818114d8a17215f513\System.DirectoryServices.Protocols.ni.dll

Filesize
444KB

MD5
ec4f188e5ea5045a76ec135a2b1871cf

SHA1
e82130863879e52e9833aeb34e8a8d613d0926aa

SHA256
7dddd2359338f8c5e8879d64c4a8583c930fa98b079fc6edad0e96e3d027cbcd

SHA512
69cada3a6274863b524ee160848c99f2b0979b6e9ba5a205266604382cf5e3ae26277d216c1cb15302782fe15c84f3238ba98b0f0a1d15c054848c78da18df38

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\30bacfb052519296a25d585d62d65f0e\System.Drawing.Design.ni.dll

Filesize
203KB

MD5
ad8de415732fcf19dcb2df89ddfe3159

SHA1
7ab07013e4d4a6f0a23e9571b1b175d9e65d7652

SHA256
7aba2361cde5cf74436533f0da387b83c7e47ed254c2a92fdc9085445e20739e

SHA512
81c8bc4af3bc9d0ce42f903f58456f411f6f5ac31cb569391c31cf5274181a618b2b01f086fc8e39bb24a763accf3c1e3660d4129ad40f53c968f83e5a9ecab5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\14ad09938f3197fce462d47b2194bd45\System.Drawing.ni.dll

Filesize
1.5MB

MD5
1777b41cb2741762a6fceefd99bba158

SHA1
3dd8eee460a20e52689a116103cfa3a43b159d19

SHA256
a549546bdf9b32979033c151fe1ca370f2661570f4637d21138ac4ace369a73a

SHA512
554322ba20e331bd96268842294f71acdbec70765d8c82c51d06c9261a4c284578b26af7efbeec4b072f1ea5b50514a6bcc290343fc12c87b1afa7597ec543f6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\bd2663637d8b93a187e67959328f54fe\System.EnterpriseServices.ni.dll

Filesize
613KB

MD5
0314d12a843f739fe5cd750fdff0289c

SHA1
61d925baf5f080132b62cafd3d1ff8a76ce6a477

SHA256
90f1074270765c0908c6527ca8a86d4199b241e87f2dc5c84ada42c5d966776e

SHA512
997a22727aae924fb467a057a484975d5b3b460f2070b5acfcbc86f8cb8a0d19ee682332d3aa3b2281c63eb7a91b98399ab5a64fc8476fba79d6c10adc5f458c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Printing\702578c40431fab6bf7496ac4ffa5bc0\System.Printing.ni.dll

Filesize
1018KB

MD5
abd0e8192d7c4e248f9274ab269824f0

SHA1
085e4b75694df5618d65680d6bbcb3e19de2ed54

SHA256
eedd71befcc475e95efc90355f1ba05c239b8132ebf6557ffcac0cdd15c32156

SHA512
0019e03987ed49fa1ce452e76761efd159234b817c96bd11514193284249a5a40edacaccdbfc6c1ab1d746d44ee762e70339414d372119c30d49967139cacdbb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7f272c19ef36ca26a6716b3ce65ba06\System.Runtime.Remoting.ni.dll

Filesize
756KB

MD5
1ca868c0ac37fc6cff2e1ed835a38cd6

SHA1
34f7a8b37af4e35d7ee07eaaca4aa06422e739ff

SHA256
d3e76742f3c6266a039769e51a4b5f419f5d016a1d68b70e8bb136bd2dd590e4

SHA512
fcd95cbe91b768620c74c53b1cb5365ff40fde039a525835572322c48e3750e79a8920f797a32e709b4bea4cf6a77a65d5210cbc2e8e1b4363c3c0d22abb4f5d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfa1161e5e8a708ebafb06503d3ea591\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
303KB

MD5
81116a8852efd011051d9891498970ad

SHA1
784bdae7ec804a5757405287bd5e1b4a2817a730

SHA256
8f8dd22755618fc224856a4a116f9434bac9aa3b1ad023fba70233f74d4a760e

SHA512
f5e2b282c7ef29f91ea43e5f0c935315ca78663f0068e656c422ea622f4ff05150f6ff97764f39ce40246fb8e0f01f430ca3e23c7d15f87883180c18bd718e6c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\6358a966b003f859eb24e6c49d3bb7fa\System.Security.ni.dll

Filesize
705KB

MD5
9f33792c2dd85df9f6f356ac2761d5a9

SHA1
52236ee0a57ac0b135fa68e70adb8f1582b979a1

SHA256
497a442b45d20a888bd7f57b2bd3b39867752b1304109a414ccca565f1bdd9eb

SHA512
0d8d7ca85b6f68bb890391c0490bedf80efd2360fdc9e861038dedf5cff43519ec77ec6b7c5a9976f427d9690e2e94d96572b29f9fdffb4abe46d62c94a4458f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abc482a81715bf779d3138355f99283f\System.ServiceProcess.ni.dll

Filesize
219KB

MD5
594ecb1346fa642970e336852647a24b

SHA1
296fb9e6aa2b62e58562397d0b815fe3b5593c2e

SHA256
043568069f8dd1438c3d5f9e93f02329c25793e614dd39acf0ad1322e8175f9f

SHA512
554fa415ea52a6250d1f0a40c6e905ce1c096114f6480d94fdb95716f3a1f9434a69e93383ebfd8dc8fe27cb54e668395c3d763847220fbaf9e663050736a7d0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\391b0d05b44d909e89c784995e964aa1\System.Transactions.ni.dll

Filesize
612KB

MD5
cd0552ae9ef192595a77292a45b87e21

SHA1
29dc417a2547f08b2aa1b537e63429a12d88d662

SHA256
b728af1b74b97e7ca828c7eaf297a100b384ad1d90df35304cd56a6e28580849

SHA512
ed222c33ce9fb01be88430f63ca1fd6fd46d10d6df2573128497e8e9e493a6b328944edd66793da1f9151aea0b1a4e0d1c89e85260d3a6763584b2e872d18142

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\01d6f732622814b1e863a201924278f0\System.Web.RegularExpressions.ni.dll

Filesize
248KB

MD5
1bafe0bd53dbe522e0a8a99937b00b54

SHA1
872a705244b421c966500bf964d0302069d065f2

SHA256
90c450b59896e2a0996cb3405e87ba053465ff26fe7a4099fc521398f282e796

SHA512
147ed06e64e9d68501231ff6cc1ca8c1ce621f39be1c198e85ac172ab8d933cb2f0a6005eb24b1713b2a7cf24dac5744e68720a3728a810b80c79279fee0e423

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\4c1da9372aeef07827689ca3afe5d28e\System.Web.Services.ni.dll

Filesize
1.8MB

MD5
5584d2a9ef894cadfc271215e4fc84ff

SHA1
24cbddcd375c61708c43deeec5b0446257b535e6

SHA256
985d5c5e0781573a6bcc50bef8eaa624303cee239b0ed8b6921f570d4e21b336

SHA512
62f70cd7a6b5e1b3d5186349ff1b9033631df6e2647b4a036888c6486db7dd97ab52a54ce1d8d6803c0e95a36c595d0a93b5581ca35232a9832f079b1d5e56f7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\e2dbd9e164bfad626e4b00b772242ecc\System.Web.ni.dll

Filesize
10.3MB

MD5
859493cfb7e9487c0af472d50f4f5746

SHA1
e9da1bc4059408d0a066c7ff1287655803f20962

SHA256
f2f5a41cf3be5a768d952d7ed063740ba9d6c783098fb124153a0e202e56cf71

SHA512
624666d1ddf81d2f6a4f04205a052f722b6416df133ed655ebf64a9943ecb5aaad7ada83264c06ce7bcb209410e6be8fe035c3664e2f72f6be027fd062baad19

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0c47ad5e4d501b35e43a088535e589f\System.Windows.Forms.ni.dll

Filesize
267KB

MD5
7e0249090cd1607e2a787196c7412e93

SHA1
d0021865492c068c579ea608832a4bc58efce2be

SHA256
3dc3bb9ea903232b2defe0804f4d637f79058aa70c1bdd8c2eec354177e93c9e

SHA512
29b7d07340dfabfe2c7a1d47e6542f1e1b7855162a0b0c563c09074030022f78594e07bcf2acb61be494998b2af4be54914e8fa25820356bbb4e8526e9cfa30a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\866071f7699098f652bb297811da2f45\System.Xml.ni.dll

Filesize
2.7MB

MD5
6f9f344c4b8c3decaaf3bd3a422ef2f5

SHA1
561232b923a908982e085afcac36feb6414e60c2

SHA256
891a9a0e195e57df3ce47df0b1e9c7e6a21ca0aa6508d354e59b8ffa837316dc

SHA512
3c757b271e1de15392b28682341776bbae95e13d5ab360aa3ec64d5b9549d77f582d5164e9603ad66878b990c6a758a71d725446378d1f024932c5a1a0e572f3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\866071f7699098f652bb297811da2f45\System.Xml.ni.dll

Filesize
2.5MB

MD5
2ddffe120c1e227ddaca2f12eb5cc225

SHA1
aabca5c714a61c6a6b0e294e1b5ace310d30dfb8

SHA256
8d3722acaf5c69f8bab9b7f80c5ac15448307ce6d7a511e304ecaf77de622fe0

SHA512
0e38878b16e2bf26e17810ea3d50b039131929372ed7bea7a9f8c086ca239b5d5a57a987ad1d657ea604996d05714814a0a5ec5d733b60e53a45d8cdda06d3ac

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\866071f7699098f652bb297811da2f45\System.Xml.ni.dll

Filesize
1.6MB

MD5
625490f982c7b6101a96fbc1103a8bb9

SHA1
86f8d933ba85dd770106c5541c076e33fc532a60

SHA256
8874913136c92c8f4ec27f9575a7152552d1f96be4105c0806ae9b4100c2ada1

SHA512
07e3bfaa4ce34089ae72c9e855467cb20d8db3fe193e6721fc4512457048849b2755126a4baccadb2a213c08bc7dae45a8fa5b92c67402fb3c5cd2a77256c95a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\866071f7699098f652bb297811da2f45\System.Xml.ni.dll

Filesize
1.3MB

MD5
80bd74cdb5e8bfbe9909ad1128884d42

SHA1
ba2618ec64c1d5d579029d42f4b183f18e69866b

SHA256
f87927b7577fb59fd6b3defe575d3ecd04235e1a689c5cb82b1fbe8c3697a895

SHA512
a73cf1168cc1e18248f5d0bc02f52cfe04eeb9bb9dc5a50790af82df8881eba09a5ac1c84c9257a6b32a76876580302181e5667f077a1adfe58cb9798ac4cbdb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17AA.tmp\ObjectDockTray.exe

Filesize
430KB

MD5
fcdc37d816ea471158a525200384ae34

SHA1
02396139df6322e23678f05d5c10136b7bbaa1c6

SHA256
4e7c2a4031d61db151e75c31dcbd3ef2b18111f98557002be9daf5cda54bde0b

SHA512
69fee9f4b2e87a309ae4f40fdb55764adbfe98e96bd71889b4426c237dcaf4e4c3dc5a313d8d644a4838825c02f80fe71e52d4844787acef9821f2a9d7d97caf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B34.tmp\System.Configuration.dll

Filesize
955KB

MD5
4990dd6603ba3479ecc73fa52da8b155

SHA1
8bdc7e58144a9714537f7415ff14bd47b0b15f21

SHA256
88d7bf86a81d78d6cc26e3e740cb2552b0daab107a6fe57ff29b3a8b4c765d01

SHA512
7c5ab15c8c5dc5c210ec49a56b422a53fd648d805f4e6211ff0f66a81a78dc32f33d4f026f9d7b8b116eb3c0a6d5aafeed4749054b8238d14fb6258b27172dc7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245C.tmp\System.Xml.dll

Filesize
5.2MB

MD5
3c086fd99a1ed879f2bfea3be1bcb0cb

SHA1
3890a4f64f201851e98de4c697238077c4264944

SHA256
22ec310b91cc5f07b2d75bf2cb106d69f9490239848c3e40e3bbdc036e488f3a

SHA512
b563fa31584d8164be2eeaf7beb080f0494826aa8000a3ad8cf0b58932adbce7cd4e2d8fb1c5543d49fb62447ab27a89cbc3d5e581fe64a9942a3cf5381a7f11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\f8c80f7ab75e2bdeba33fb98dd915d0e\UIAutomationProvider.ni.dll

Filesize
59KB

MD5
eae06b04ad65692d960849fda1a54df3

SHA1
f217d391769e896efd908868269f5c55ecc09161

SHA256
db41de0bd0ee812c08267102c12aca82cd0a75901b33193ae9932bd56f5127c5

SHA512
9050b09127013bb17f8052a42684f479883d4dae49591f10ad7e0ee2f05fe4a6b4b0c88390eb19ef2f4410a1ebde01049163cdca4268b224f51fdf6955470d92

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\767a4940f6625ab6cc914df66880a94d\UIAutomationTypes.ni.dll

Filesize
181KB

MD5
872eca7ff4b388d067f5f0127f480758

SHA1
522bbd29f1221945a5c7291b6feca6edb9f7d5c0

SHA256
166b1a7da049179dd8a659bad18f6725d5f51fb53abaf313668419501693ab3b

SHA512
bf0120d3a4fd3e2adaaed22fcd4402d36eca011f749ef19f71d9c177c679e0322233b8d0a8d6042429b16b2634a5571bb00f20d53eee1b921304e5ded261883b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\884c6a36110135324286dc54c4739f34\WindowsBase.ni.dll

Filesize
2.4MB

MD5
82c3c3c968f680bc061d2bcfd7da55dc

SHA1
9fd09ad4b9e8a6b750fcf13b8bc9b7c70325ba02

SHA256
23acfc8ccf6f4ed9d6f87b90ccf17ad28cc5dc6f1df91823b052eb26cababfdd

SHA512
4c11a373dca39c09d53872b513cfd96581d3b81d6462d816eebd6f055a71eba06b230a188473977bfee6ccee9de6875b5687f4dcb695ea593a83ee58c102595b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\9036e31154753be8b895ac138353c48d\WindowsFormsIntegration.ni.dll

Filesize
234KB

MD5
4f8ea6360212cdc850c57d9ce2f9dac8

SHA1
3120ef549dfe73683aae8aaf49359642704f62f6

SHA256
aa169af3a25550fd4ee12f7c49b6d0e956e86de39c28a6a9bf95cd8be65d0f4c

SHA512
3f823deb94c7a4ba0f8fd56e081d5d3c060734d4f3efbb0371e3e09cceed74413ef0332e1809c157b9d93596f81d59aa8c6c9e4ec15d5d425cf05ddedfb7e7ee

Download Submit
memory/836-1256-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/836-1257-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/836-1258-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/836-1270-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2524-1368-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2524-1567-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1339-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1348-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1341-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2720-1340-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2788-1360-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2788-1351-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2788-1353-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/2788-1352-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3496-1370-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3496-1379-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3496-1372-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3496-1371-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3664-1337-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3664-1329-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/3664-1330-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3664-1328-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1314-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/3924-1313-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1315-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1383-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1390-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1382-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/3924-1381-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1326-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4192-1997-0x000000001DBD0000-0x000000001DC21000-memory.dmp

Filesize
324KB

Download
memory/4304-1802-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

Filesize
104KB

Download
memory/4384-1302-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4384-1290-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4384-1289-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4520-1551-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/4520-1550-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4520-1554-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4520-1553-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4872-1272-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4872-1273-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/4872-1285-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5020-1532-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5020-1533-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/5020-1534-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5020-1542-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5272-1248-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5272-1245-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5272-1236-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5272-1239-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/5324-1953-0x0000000003A60000-0x0000000003A79000-memory.dmp

Filesize
100KB

Download
memory/5324-1979-0x0000000007160000-0x00000000071D2000-memory.dmp

Filesize
456KB

Download
memory/5324-2000-0x00000000040F0000-0x0000000004126000-memory.dmp

Filesize
216KB

Download
memory/5324-1999-0x00000000040F0000-0x000000000412B000-memory.dmp

Filesize
236KB

Download
memory/5324-1975-0x0000000004A10000-0x0000000004A2A000-memory.dmp

Filesize
104KB

Download
memory/5324-2002-0x00000000040C0000-0x00000000040D3000-memory.dmp

Filesize
76KB

Download
memory/5324-1974-0x00000000049D0000-0x00000000049EA000-memory.dmp

Filesize
104KB

Download
memory/5324-1927-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/5324-1932-0x0000000003D70000-0x0000000003E37000-memory.dmp

Filesize
796KB

Download
memory/5460-1317-0x00000000002D0000-0x00000000002EA000-memory.dmp

Filesize
104KB

Download
memory/5460-1717-0x00000000002D0000-0x00000000002EA000-memory.dmp

Filesize
104KB

Download
memory/5460-1543-0x00000000002D0000-0x00000000002EA000-memory.dmp

Filesize
104KB

Download
memory/5460-1319-0x00000000002D0000-0x00000000002EA000-memory.dmp

Filesize
104KB

Download
memory/5740-1568-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5812-1492-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/5812-1493-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5812-1393-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5812-1518-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5824-1556-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5824-1925-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/5824-1559-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5824-1565-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/5824-1557-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/5960-1214-0x0000000020000000-0x0000000020115000-memory.dmp

Filesize
1.1MB

Download
memory/5960-1318-0x0000000020000000-0x0000000020115000-memory.dmp

Filesize
1.1MB

Download
memory/5960-1217-0x0000000000900000-0x0000000000927000-memory.dmp

Filesize
156KB

Download
memory/6008-2049-0x00000000009C0000-0x00000000009E7000-memory.dmp

Filesize
156KB

Download
memory/6008-2050-0x0000000002600000-0x00000000026C7000-memory.dmp

Filesize
796KB

Download
memory/6072-1520-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/6072-1522-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download
memory/6072-1521-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/6072-1530-0x00000000731A0000-0x0000000073751000-memory.dmp

Filesize
5.7MB

Download