Analysis
-
max time kernel
348s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 06:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.simhubdash.com/
Resource
win10v2004-20240419-en
General
-
Target
https://www.simhubdash.com/
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Detected Ploutus loader 1 IoCs
resource yara_rule behavioral1/files/0x0007000000024876-5783.dat family_ploutus -
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 10 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0f000000010000002000000066d34cb2f361c2c335c2925dc335a16a82a3527f6cccc2fd93d5eda2880236490300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c20b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f02000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0f0000000100000020000000f6fcb0cc070a89686499cecf2632d034a6a55ef82d380b0e363ee4ca287a91a20300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f0b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c202000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F wdi-simple.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 5824 netsh.exe 3024 netsh.exe 5524 netsh.exe 5728 netsh.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation SimHub.PackageManager.Standalone.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation wdi-simple.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation vcredist_x86_2019.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation SimHub.PackageManager.Standalone.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation SimHub.PackageManager.Standalone.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation wdi-simple.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation SimHub.PackageManager.Standalone.exe -
Executes dropped EXE 44 IoCs
pid Process 4212 SimHubSetup_9.2.12.tmp 3076 MicrosoftEdgeWebview2Setup.exe 5248 MicrosoftEdgeUpdate.exe 5616 MicrosoftEdgeUpdate.exe 5604 MicrosoftEdgeUpdate.exe 4752 MicrosoftEdgeUpdateComRegisterShell64.exe 5404 MicrosoftEdgeUpdateComRegisterShell64.exe 5392 MicrosoftEdgeUpdateComRegisterShell64.exe 5548 MicrosoftEdgeUpdate.exe 5712 MicrosoftEdgeUpdate.exe 5804 MicrosoftEdgeUpdate.exe 1628 MicrosoftEdgeUpdate.exe 5436 MicrosoftEdge_X64_124.0.2478.80.exe 1452 setup.exe 5568 setup.exe 5788 MicrosoftEdgeUpdate.exe 6012 vcredist_x86_2012.exe 6088 vcredist_x86_2012.exe 6080 vcredist_x64_2012.exe 1256 vcredist_x64_2012.exe 2020 vcredist_x86_2013.exe 1348 vcredist_x86_2013.exe 5948 vcredist_x64_2013.exe 4824 vcredist_x64_2013.exe 6000 vcredist_x86_2019.exe 5764 vcredist_x86_2019.exe 3468 VC_redist.x86.exe 5524 SimHub.PackageManager.Standalone.exe 3912 SimHub.ndp48-web.1.0.0.exe 760 Setup.exe 1256 SimHubWpf.exe 5400 SimHub.PackageManager.Standalone.exe 3944 SimHub.VOCOREScreenSetup.1.0.0.exe 5784 SimHub.VOCOREScreenSetup.1.0.0.tmp 4612 wdi-simple.exe 1272 installer_x64.exe 1256 SimHub.PackageManager.Standalone.exe 2184 SimHub.USBD480Installer.1.0.0.exe 6020 SimHub.PackageManager.Standalone.exe 5652 SimHub.AX206creenSetup.1.0.0.exe 1184 SimHub.AX206creenSetup.1.0.0.tmp 840 wdi-simple.exe 5380 installer_x64.exe 2376 SimHubWPF.exe -
Loads dropped DLL 64 IoCs
pid Process 5248 MicrosoftEdgeUpdate.exe 5616 MicrosoftEdgeUpdate.exe 5604 MicrosoftEdgeUpdate.exe 4752 MicrosoftEdgeUpdateComRegisterShell64.exe 5604 MicrosoftEdgeUpdate.exe 5404 MicrosoftEdgeUpdateComRegisterShell64.exe 5604 MicrosoftEdgeUpdate.exe 5392 MicrosoftEdgeUpdateComRegisterShell64.exe 5604 MicrosoftEdgeUpdate.exe 5548 MicrosoftEdgeUpdate.exe 5712 MicrosoftEdgeUpdate.exe 5804 MicrosoftEdgeUpdate.exe 5804 MicrosoftEdgeUpdate.exe 5712 MicrosoftEdgeUpdate.exe 1628 MicrosoftEdgeUpdate.exe 5788 MicrosoftEdgeUpdate.exe 6088 vcredist_x86_2012.exe 1256 vcredist_x64_2012.exe 1348 vcredist_x86_2013.exe 4824 vcredist_x64_2013.exe 5764 vcredist_x86_2019.exe 2288 VC_redist.x86.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 5524 SimHub.PackageManager.Standalone.exe 760 Setup.exe 760 Setup.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe 5676 mscorsvw.exe -
Registers COM server for autorun 1 TTPs 33 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1} = "\"C:\\ProgramData\\Package Cache\\{f65db027-aff3-4070-886a-0d87064aabb1}\\vcredist_x86.exe\" /burn.runonce" vcredist_x86_2013.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{050d4fc8-5d48-4b8f-8972-47c82c46020f} = "\"C:\\ProgramData\\Package Cache\\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\\vcredist_x64.exe\" /burn.runonce" vcredist_x64_2013.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4f84f2dc-3f70-433a-8f50-8293e0089b0f} = "\"C:\\ProgramData\\Package Cache\\{4f84f2dc-3f70-433a-8f50-8293e0089b0f}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240503063548.log\" /quiet /norestart ignored \"/c:msiexec /qb /i vcredist.msi\" /burn.runonce" vcredist_x86_2012.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20240503063555.log\" /quiet /norestart ignored \"/c:msiexec /qb /i vcredist.msi\" /burn.runonce" vcredist_x64_2012.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 41 camo.githubusercontent.com 45 camo.githubusercontent.com 46 camo.githubusercontent.com -
Checks system information in the registry 2 TTPs 10 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64\WinUSBCoInstaller2.dll DrvInst.exe File opened for modification C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\GroupPolicy installer_x64.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b}\amd64\SETD592.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b}\SETD594.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_d19b3291b47a6625\amd64\WdfCoInstaller01011.dll DrvInst.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_d19b3291b47a6625\amd64\WinUSBCoInstaller2.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\USBD480_Libusb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbd480_libusb.inf_amd64_e6ad8e2b919564cb\amd64\libusb0.sys DrvInst.exe File created C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b}\usb_device.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\SET7195.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_6c0f458a27010a45\usb_device.inf DrvInst.exe File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\amd64\SET7184.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\x86\SET71A6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64\SET800B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\SET801C.tmp DrvInst.exe File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\System32\GroupPolicy installer_x64.exe File created C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64\SET800A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\SET800C.tmp DrvInst.exe File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b}\SETD593.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbd480_libusb.inf_amd64_e6ad8e2b919564cb\USBD480_Libusb.cat DrvInst.exe File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol installer_x64.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI installer_x64.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_d19b3291b47a6625\usb_device.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64\WdfCoInstaller01011.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\usb_device.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_6c0f458a27010a45\usb_device.cat DrvInst.exe File created C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b}\usb_device.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\amd64\SET7183.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbd480_libusb.inf_amd64_e6ad8e2b919564cb\USBD480_Libusb.inf DrvInst.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI installer_x64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64\SET800A.tmp DrvInst.exe File created C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\usb_device.inf_amd64_d19b3291b47a6625\usb_device.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{dde227da-7cd4-3943-ae52-4bec6e54e68b} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\SET801C.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{46751c3a-8da1-2c4f-b24a-2f2f04037e11}\SET7195.tmp DrvInst.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol installer_x64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\usb_device.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d4f5e982-3fda-8c47-aa12-5e7068139aa3}\amd64 DrvInst.exe File created C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File opened for modification C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SimHub\NAudio.Midi.dll SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\LMU\is-52GKI.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\PluginSdk\User.PluginSdkDemo\is-LKS7E.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\124.0.2478.80\Locales\qu.pak setup.exe File created C:\Program Files (x86)\SimHub\_Addons\GamePlugins\MXBikes\MX bikes\is-QNM37.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\Logos\is-T5PSL.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DevicesLogos\is-91PKM.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_SSD1306\is-B3BP7.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\SimHub\Microsoft.AspNetCore.Http.dll SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DevicesDefaults\is-R58L3.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-VHK86.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-6FUKJ.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\Web\favicons\is-U5HVC.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\FastLED\is-9PH6K.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\is-1TLE7.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\Automobilista2\is-A1B26.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\PluginSdk\User.PluginSdkDemo\is-233ND.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\SimHub\RJCP.SerialPortStream.dll SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DevicesLogos\is-T33DQ.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\Web\favicons\is-NHAAC.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\TimerThree\examples\FanSpeed\is-F3FVI.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\124.0.2478.80\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\124.0.2478.80\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files (x86)\SimHub\Web\is-UNT77.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\docs\html\is-QN4C9.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DashTemplates\SimHub - Live map\is-UM3I9.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DashFonts\is-9UH2H.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\GamePlugins\ProjectCars3UDP\is-6FHGE.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\FastLED\is-TENN4.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\FastLED\platforms\arm\nrf51\is-I6S7Q.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal\examples\Cursor\is-56QE0.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\is-PB3TF.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\Logos\is-FSU5T.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Robot_Control\examples\learn\MotorTest\is-FHR70.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\ImageLibrary\Leds\Set2\is-T598P.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DashFonts\is-5D4BE.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\is-BTAIU.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\MatrixFonts\is-HBASG.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_GFX\Fonts\is-PGRG6.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\TM1637_6D\is-S3SFA.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\Locales\bg.pak setup.exe File created C:\Program Files (x86)\SimHub\Help\Images\is-CGKUR.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_GFX\Fonts\is-33DNM.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\docs\html\search\is-78UG3.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\TimerOne\is-5Q60F.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\SimHub\libusb-1.0.dll SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\docs\html\is-QHUGP.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Robot_Control\examples\learn\keyboardTest\is-1LQSE.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DevicesDefaults\is-LPMHK.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DashTemplates\MYTEC D153\is-J7NUN.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_MotorShield\examples\StackingTest\is-Q3LUH.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_GFX\Fonts\is-9C405.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\Libraries\Adafruit_PCD8544\is-2CKJF.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\is-EB0VC.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\FastLED\is-NKGLK.tmp SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\Locales\he.pak setup.exe File opened for modification C:\Program Files (x86)\SimHub\ImageLibrary\ProgressBar\ProgressBar3.png SimHubSetup_9.2.12.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\SimHub\System.Buffers.dll SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DevicesLogos\is-NF6OQ.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\DashTemplates\ConceptDash_v4\is-L4HE5.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\Logos\is-SQ0QN.tmp SimHubSetup_9.2.12.tmp File created C:\Program Files (x86)\SimHub\LookupTables\DefaultCarSettings\AssettoCorsaCompetizione\is-1KAK1.tmp SimHubSetup_9.2.12.tmp -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\164c-0\SharpDX.DirectInput.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Windows.UI\910685c6c93b07f96a8ece16e9185dff\Windows.UI.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.Bitma4806652#\e76d5a961710c47595d7b1b84bec9b26\SimHub.BitmapDisplay.MMF.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ValueTuple\c6920bc387c1546e2d71d9d7aefe863a\System.ValueTuple.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b4-0\CodemastersReader.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Newtonsoft.Json\9ac89c3b239e19af1cd62c70d0856171\Newtonsoft.Json.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt54187d77#\a01872bed94a4b7f41800b9a004724aa\System.Runtime.InteropServices.RuntimeInformation.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numeb60ee252#\0d61967eb17cb68dc5885ffcfeaa1dd1\System.Numerics.Vectors.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17e8-0\Windows.Media.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1684-0\SimHub.BitmapDisplay.Subprocess.X86.exe mscorsvw.exe File opened for modification C:\Windows\Installer\MSIAAAD.tmp msiexec.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Linq\fa5b139f57ac6a2789be0b35dbae4569\System.Linq.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\CefSharp.OffScreen\ea7ec7e0fcab233c7991114535a0aa89\CefSharp.OffScreen.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1704-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Diagd2d95910#\a2e562080989c716c1d2a5f6ed5926e6\System.Diagnostics.Tracing.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1714-0\System.Activities.DurableInstancing.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1738-0\Windows.Data.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1340-0\YamlDotNet.dll mscorsvw.exe File created C:\Windows\Installer\e59a8c1.msi msiexec.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\NextionCommon\48254917d5d484d91a111100748e950a\NextionCommon.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1794-0\RawInputProcessor.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Thre95f54cb4#\a93a83b5adc42e6e8141b5180260e712\System.Threading.Tasks.Extensions.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\LFSReader\da4a972fb8ed454911ee53a610f2fbde\LFSReader.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\717e17e861dedcd989be68d815fe5230\System.Runtime.WindowsRuntime.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\CircularGauge\410c457b6ccf66d3f5adb9d4f23df13f\CircularGauge.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\268-0\MathNet.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15b8-0\Wpf.MatrixExtensions.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1624-0\SimHub.Bluetooth.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Windows.Devices\d1bf2bef1a229c5f9d46383e3ead9a33\Windows.Devices.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\SimHub.SHSerialPort\a5cd901b8508979f6350ad3b855f1716\SimHub.SHSerialPort.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\870-0\SimHub.BitmapDisplay.SerialTSS.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\5ca8c6ea7b2875691069fd4590f42b26\UIAutomationTypes.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17d8-0\System.DirectoryServices.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\4a5e809ee7d57d2675f79a3e55eee0f4\System.DirectoryServices.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16dc-0\System.Web.Services.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9d0-0\System.Runtime.InteropServices.RuntimeInformation.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1554-0\Windows.Services.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\cb1e796b063d1f2ff12ac024da31bfee\System.Printing.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\16b8-0\System.Windows.Forms.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\c510a4bcfe75f634032f39bda45370e8\System.DirectoryServices.Protocols.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\2b5f1247352f1f7ab9914e9aeb372dc8\System.ServiceModel.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\428-0\Windows.Gaming.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\173c-0\SMDiagnostics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\938-0\System.ComponentModel.Composition.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\NAudio.Core\1ad308da25cbbad61a5845474a7aab07\NAudio.Core.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\eb4-0\System.EnterpriseServices.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Reflection\0085ba85d71bf638d4412cd9f0626565\System.Reflection.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ArqSerialLib\ce911971a1bee7f687babe43a62d56c1\ArqSerialLib.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\14b0-0\Jint.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\148c-0\Microsoft.DotNet.PlatformAbstractions.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\17fc-0\System.Data.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IO\2880f293da7b14fea611c0a5f15f00f9\System.IO.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Windows.Perception\8238aede5793c1a4cf2e1d88ce3215bc\Windows.Perception.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5b8-0\System.Net.Sockets.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13f0-0\SimHub.Plugins.Dashstudio.Behaviors.Core.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1734-0\MahApps.Metro.IconPacks.Material.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\0595604fe5cf2cf3667da1e44631ecec\System.Web.RegularExpressions.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\5b8-0\System.Xml.ReaderWriter.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\MathNet.Numerics\0cb96be5d81d25cc635fcc891487093b\MathNet.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d4-0\GongSolutions.WPF.DragDrop.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ProSwitchPanelSDK\44c1dc15361a413bbd024547238fc42e\ProSwitchPanelSDK.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000700000001e8cd-11070.dat nsis_installer_1 behavioral1/files/0x000700000001e8cd-11070.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 63 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d235c466a83f29070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d235c4660000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d235c466000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd235c466000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d235c46600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591916052379128" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{8DE5B0D4-A6D8-4F72-B8EF-28776A2EE5D5}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Applications SimHubWpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\matrixfontv2_auto_file SimHubWpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebSvc" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4f84f2dc-3f70-433a-8f50-8293e0089b0f} VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4D0B5ED88D6A27F48BFE8277A6E25E5D\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7938D0804F063B44BB59BF9B05BCB0E4\SourceList msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\ledanimation_auto_file\shell SimHubWpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods\ = "26" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ELEVATION MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalServer32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\matrixfontv2_auto_file\shell SimHubWpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusSvc.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c202000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0f0000000100000020000000f6fcb0cc070a89686499cecf2632d034a6a55ef82d380b0e363ee4ca287a91a20b000000010000000e0000006c0069006200770064006900000002000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f02000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F wdi-simple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c202000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f02000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000001df628b57b51da3acf307da8f9ce7fcec4eb798f2000000001000000cc020000308202c830820231a00302010202103b4716b97f6482814f60196f347cb56b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333731345a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00430038003700320026005000490044005f003100300030003400200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100a7486d79da6839fd5a17403a9571dacc587f7a578ef7a634a66e2d73be028f2c56502321a7b5d461eda0cd0009a8bb9c7f7baa953bb0c60833899526987d01b50c675a97c9646af18746b177c53d75108c5370bbed084accbe631fe146a0a1618f51ddaea99ff76868a06b587f08bff8881152772b2dfb30a875d1a0076451c50203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100112119f20019a22a5746069037055c9e95761fc56fc4f1e48e0f9fcbce657313a7a77349a52b2aa2a50d75061e909d91f48f3b3cc9c8faf3ea530b5ba12f4a07d55760b0f535dc4a1ee5761234f6ef9ccbaa4c7bbcecbe20cb53b274a795459dceb09ed3c5727dc147790614a45c7169decb5615e720927b12c92d07fe78e983 wdi-simple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0f000000010000002000000066d34cb2f361c2c335c2925dc335a16a82a3527f6cccc2fd93d5eda2880236490b000000010000000e0000006c0069006200770064006900000002000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1DF628B57B51DA3ACF307DA8F9CE7FCEC4EB798F wdi-simple.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0b000000010000000e0000006c006900620077006400690000000300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4F342BDF65D016A660A4CFDD405DEC0C987E00C2\Blob = 0300000001000000140000004f342bdf65d016a660a4cfdd405dec0c987e00c22000000001000000cc020000308202c830820231a003020102021022397d44ec977e824e5576fea84d0f2b300d06092a864886f70d01010b050030633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3234303530333036333735385a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310039003000380026005000490044005f003000310030003200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100c103f2c7b0043bcfb1cfe5290365bf167536228bfee3b408867c4da1820073bf5fc7aa0ca4a74472944a947f8f06475b87ad34a0b47e23e017e034248ce1c9ac6d8637b73c14bfdbb71289db934d7b64389c1543eccf5b0098264a2afca1b5e322f8985a681de4a6459c470f5178095f22afb59061a9f631eebd26afc27d64a10203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d01010b050003818100bab008c5a5a4aecbe257eba213278e80fcc1dc6230b1fd4913a8a37935e423304374b2a61b299b6d60ce7fab08eb3cb7d38cb32940d6a83630fd30e7a0b3ef52d7c5856bec8341fc5a0e95eb77a64cc48b4f3767935762a02719178705cd4763fa84267d17a23790be59fd95750958a574d5a50eb6cc5fc72375946381aaf132 wdi-simple.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1576 chrome.exe 1576 chrome.exe 4212 SimHubSetup_9.2.12.tmp 4212 SimHubSetup_9.2.12.tmp 5248 MicrosoftEdgeUpdate.exe 5248 MicrosoftEdgeUpdate.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 116 chrome.exe 5248 MicrosoftEdgeUpdate.exe 5248 MicrosoftEdgeUpdate.exe 5248 MicrosoftEdgeUpdate.exe 5248 MicrosoftEdgeUpdate.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 3744 msiexec.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 760 Setup.exe 5784 SimHub.VOCOREScreenSetup.1.0.0.tmp 5784 SimHub.VOCOREScreenSetup.1.0.0.tmp 1184 SimHub.AX206creenSetup.1.0.0.tmp 1184 SimHub.AX206creenSetup.1.0.0.tmp 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe Token: SeShutdownPrivilege 1576 chrome.exe Token: SeCreatePagefilePrivilege 1576 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe 2376 SimHubWPF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2376 SimHubWPF.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 1312 1576 chrome.exe 84 PID 1576 wrote to memory of 1312 1576 chrome.exe 84 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 512 1576 chrome.exe 85 PID 1576 wrote to memory of 1088 1576 chrome.exe 86 PID 1576 wrote to memory of 1088 1576 chrome.exe 86 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 PID 1576 wrote to memory of 988 1576 chrome.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.simhubdash.com/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde401cc40,0x7ffde401cc4c,0x7ffde401cc582⤵PID:1312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2200 /prefetch:32⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2416 /prefetch:82⤵PID:988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:4212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4996 /prefetch:82⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4636 /prefetch:82⤵PID:1080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4404,i,11610149535998964691,6688661958739470900,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4884 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:2844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2976
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1224
-
C:\Users\Admin\Downloads\SimHub.9.02.12\SimHubSetup_9.2.12.exe"C:\Users\Admin\Downloads\SimHub.9.02.12\SimHubSetup_9.2.12.exe"1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\is-VTU45.tmp\SimHubSetup_9.2.12.tmp"C:\Users\Admin\AppData\Local\Temp\is-VTU45.tmp\SimHubSetup_9.2.12.tmp" /SL5="$11005C,189947315,950784,C:\Users\Admin\Downloads\SimHub.9.02.12\SimHubSetup_9.2.12.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4212 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="SimHub Setup rule" dir=in3⤵
- Modifies Windows Firewall
PID:5524
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="SimHub Packages Setup rule" dir=in3⤵
- Modifies Windows Firewall
PID:5728
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="SimHub Setup rule" dir=in action=allow program="C:\Program Files (x86)\SimHub\SimHubWPF.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:5824
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="SimHub Packages Setup rule" dir=in action=allow program="C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3024
-
-
C:\Program Files (x86)\SimHub\Redist\MicrosoftEdgeWebview2Setup.exe"C:\Program Files (x86)\SimHub\Redist\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
PID:3076 -
C:\Program Files (x86)\Microsoft\Temp\EU530D.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU530D.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:5248 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5616
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5604 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4752
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5404
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5392
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezdDNjdGOUUzLTAxM0UtNDA1RC05MzgzLUMyNkE5RDlEMjA2MH0iIHVzZXJpZD0iezZENzI3NDNELTAzQzAtNEI0NS1BOUI0LUJFNEY3RUMwMDU2RX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7MTZEODNDNDAtMTQwOC00MTlDLTlEN0YtMkY4REU0Q0Y5MDAyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDsrMGpVbVllS3RaQUY1QzNnMjJwQkI1RjBSeWR0ZjFTSDdibndzbm9VK2ZrPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTg1LjI5IiBuZXh0dmVyc2lvbj0iMS4zLjE4MS41IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU0OTIwMzg4IiBpbnN0YWxsX3RpbWVfbXM9IjU0NyIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:5548
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{7C67F9E3-013E-405D-9383-C26A9D9D2060}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5712
-
-
-
-
C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6012 -
C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{42CF0CB8-8794-46EC-B4A6-7341FD3228B9} {49CC9151-81BF-4566-BD07-B2909FE0D7AF} 60124⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6088
-
-
-
C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6080 -
C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2012.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{54C424AD-A724-4F66-B613-15F23FB44DEF} {1016E2D3-8F05-443C-A9B5-E74B4E0B8EB6} 60804⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256
-
-
-
C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2020 -
C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{C58EE16A-A9D0-4935-B1D4-2D86D81DEE9E} {34786892-0C41-466A-8BEC-9728180CD6AE} 20204⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348
-
-
-
C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5948 -
C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x64_2013.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi" -burn.unelevated BurnPipe.{A4D3DFD3-4921-4C49-93BD-A4B56177FBAE} {617701B9-F91A-427A-ADD0-C2F9ED89E442} 59484⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4824
-
-
-
C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe"C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe" /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"3⤵
- Executes dropped EXE
PID:6000 -
C:\Windows\Temp\{7DE2BB01-5011-457E-B0A7-072D55515FD9}\.cr\vcredist_x86_2019.exe"C:\Windows\Temp\{7DE2BB01-5011-457E-B0A7-072D55515FD9}\.cr\vcredist_x86_2019.exe" -burn.clean.room="C:\Program Files (x86)\SimHub\Redist\vcredist_x86_2019.exe" -burn.filehandle.attached=228 -burn.filehandle.self=676 /passive /norestart /Q /c:"msiexec /qb /i vcredist.msi"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5764 -
C:\Windows\Temp\{8DD37D98-AE9F-4B6F-817C-1125072840E5}\.be\VC_redist.x86.exe"C:\Windows\Temp\{8DD37D98-AE9F-4B6F-817C-1125072840E5}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{1C1F9403-4FCB-4275-A6DC-82673203F455} {872B6FBB-F0E2-4369-952F-49AB28FCCA05} 57645⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3468 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={4f84f2dc-3f70-433a-8f50-8293e0089b0f} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{6E7B99A7-D833-4B8F-B391-81AFC64567A6} {D42A045C-18ED-4C2F-8641-AD2E5F0146AA} 34686⤵PID:5368
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=548 -burn.filehandle.self=568 -uninstall -quiet -burn.related.upgrade -burn.ancestors={4f84f2dc-3f70-433a-8f50-8293e0089b0f} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{6E7B99A7-D833-4B8F-B391-81AFC64567A6} {D42A045C-18ED-4C2F-8641-AD2E5F0146AA} 34687⤵
- Loads dropped DLL
PID:2288 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9C38B8F8-9F72-464F-A11D-DC640294415F} {D5558F9C-7574-4C47-B7CB-9E56872F5F7D} 22888⤵PID:3076
-
-
-
-
-
-
-
C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe"C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.ndp483⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5524 -
C:\Program Files (x86)\SimHub\Packages\SimHub.ndp48-web.1.0.0.exe"C:\Program Files (x86)\SimHub\Packages\SimHub.ndp48-web.1.0.0.exe" /norestart /q4⤵
- Executes dropped EXE
PID:3912 -
F:\7333342c48b626191bee95d6\Setup.exeF:\7333342c48b626191bee95d6\\Setup.exe /norestart /q /x86 /x64 /web5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\SimHub\SimHubWPF.exe"3⤵
- Drops file in Windows directory
PID:4476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 220 -Pipe 22c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
PID:5676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"4⤵PID:208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"4⤵PID:5272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"4⤵PID:6128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 33c -Comment "NGen Worker Process"4⤵PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 2bc -Pipe 31c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 328 -Pipe 338 -Comment "NGen Worker Process"4⤵PID:6048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 0 -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"4⤵PID:2288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"4⤵PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 340 -Pipe 2e4 -Comment "NGen Worker Process"4⤵PID:3580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess 32c -Pipe 354 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 0 -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"4⤵PID:6068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 35c -Pipe 318 -Comment "NGen Worker Process"4⤵PID:5780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 0 -NGENProcess 380 -Pipe 358 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:4544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 370 -Pipe 378 -Comment "NGen Worker Process"4⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 0 -NGENProcess 398 -Pipe 390 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:6104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 0 -NGENProcess 35c -Pipe 374 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 0 -NGENProcess 360 -Pipe 32c -Comment "NGen Worker Process"4⤵PID:5460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 0 -NGENProcess 2bc -Pipe 380 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 0 -NGENProcess 3ac -Pipe 38c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:6140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 3a4 -Pipe 3a0 -Comment "NGen Worker Process"4⤵PID:3468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 3a8 -Pipe 394 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:3764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 36c -Pipe 39c -Comment "NGen Worker Process"4⤵PID:6008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 0 -NGENProcess 3ac -Pipe 360 -Comment "NGen Worker Process"4⤵PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 370 -Pipe 388 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 3c0 -Pipe 35c -Comment "NGen Worker Process"4⤵PID:1064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 0 -NGENProcess 3b8 -Pipe 3d0 -Comment "NGen Worker Process"4⤵PID:5716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 0 -NGENProcess 3b8 -Pipe 348 -Comment "NGen Worker Process"4⤵PID:4724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 344 -Pipe 3c8 -Comment "NGen Worker Process"4⤵PID:1188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 3b4 -Pipe 3a8 -Comment "NGen Worker Process"4⤵PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 3b4 -Pipe 3e8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:3308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"4⤵PID:3508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 0 -NGENProcess 37c -Pipe 2bc -Comment "NGen Worker Process"4⤵PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 0 -NGENProcess 2d8 -Pipe 384 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"4⤵PID:1496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 36c -Pipe 340 -Comment "NGen Worker Process"4⤵PID:1512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 3c0 -Comment "NGen Worker Process"4⤵PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 0 -NGENProcess 370 -Pipe 3a4 -Comment "NGen Worker Process"4⤵PID:5168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 3dc -Pipe 3b8 -Comment "NGen Worker Process"4⤵PID:6084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 0 -NGENProcess 3d8 -Pipe 3e4 -Comment "NGen Worker Process"4⤵PID:1268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 3c4 -Pipe 3d8 -Comment "NGen Worker Process"4⤵PID:5332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 3f4 -Comment "NGen Worker Process"4⤵PID:5308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 0 -NGENProcess 3d4 -Pipe 3e0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:4824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 3dc -Comment "NGen Worker Process"4⤵PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 3ac -Pipe 2d8 -Comment "NGen Worker Process"4⤵PID:5676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 3f0 -Pipe 334 -Comment "NGen Worker Process"4⤵PID:3576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 0 -NGENProcess 3ac -Pipe 334 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 0 -NGENProcess 308 -Pipe 36c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 3f8 -Pipe 320 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 3ac -Pipe 308 -Comment "NGen Worker Process"4⤵PID:6140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 344 -Pipe 300 -Comment "NGen Worker Process"4⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3ac -Pipe 398 -Comment "NGen Worker Process"4⤵PID:5816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 0 -NGENProcess 3ec -Pipe 3f8 -Comment "NGen Worker Process"4⤵PID:3940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 0 -NGENProcess 3f0 -Pipe 370 -Comment "NGen Worker Process"4⤵PID:6044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 0 -NGENProcess 3ec -Pipe 34c -Comment "NGen Worker Process"4⤵PID:6052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 0 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"4⤵PID:5484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 3fc -Pipe 3b4 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 0 -NGENProcess 3ec -Pipe 418 -Comment "NGen Worker Process"4⤵PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 0 -NGENProcess 3c4 -Pipe 420 -Comment "NGen Worker Process"4⤵PID:3848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 41c -Pipe 414 -Comment "NGen Worker Process"4⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 3f0 -Pipe 3bc -Comment "NGen Worker Process"4⤵PID:3740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 424 -Pipe 344 -Comment "NGen Worker Process"4⤵PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 0 -NGENProcess 430 -Pipe 40c -Comment "NGen Worker Process"4⤵PID:5324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 428 -Pipe 42c -Comment "NGen Worker Process"4⤵PID:5140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 0 -NGENProcess 404 -Pipe 2c4 -Comment "NGen Worker Process"4⤵PID:5996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 0 -NGENProcess 3f0 -Pipe 368 -Comment "NGen Worker Process"4⤵PID:180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 0 -NGENProcess 444 -Pipe 424 -Comment "NGen Worker Process"4⤵PID:1560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 0 -NGENProcess 350 -Pipe 41c -Comment "NGen Worker Process"4⤵PID:6088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 0 -NGENProcess 3cc -Pipe 410 -Comment "NGen Worker Process"4⤵PID:1496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 0 -NGENProcess 368 -Pipe 430 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 0 -NGENProcess 3cc -Pipe 368 -Comment "NGen Worker Process"4⤵PID:5880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 0 -NGENProcess 434 -Pipe 444 -Comment "NGen Worker Process"4⤵PID:4344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 0 -NGENProcess 448 -Pipe 45c -Comment "NGen Worker Process"4⤵PID:6020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 0 -NGENProcess 440 -Pipe 3fc -Comment "NGen Worker Process"4⤵PID:5768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 450 -Pipe 458 -Comment "NGen Worker Process"4⤵PID:5272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 0 -NGENProcess 434 -Pipe 468 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 0 -NGENProcess 350 -Pipe 46c -Comment "NGen Worker Process"4⤵PID:1912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 0 -NGENProcess 480 -Pipe 478 -Comment "NGen Worker Process"4⤵PID:3512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 0 -NGENProcess 3fc -Pipe 490 -Comment "NGen Worker Process"4⤵PID:5796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 0 -NGENProcess 450 -Pipe 434 -Comment "NGen Worker Process"4⤵PID:3548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 0 -NGENProcess 450 -Pipe 488 -Comment "NGen Worker Process"4⤵PID:4444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 0 -NGENProcess 470 -Pipe 4a0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 0 -NGENProcess 460 -Pipe 3d4 -Comment "NGen Worker Process"4⤵PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 0 -NGENProcess 480 -Pipe 464 -Comment "NGen Worker Process"4⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 0 -NGENProcess 450 -Pipe 43c -Comment "NGen Worker Process"4⤵PID:5448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 494 -Pipe 47c -Comment "NGen Worker Process"4⤵PID:6064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 0 -NGENProcess 480 -Pipe 428 -Comment "NGen Worker Process"4⤵PID:5820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 0 -NGENProcess 484 -Pipe 480 -Comment "NGen Worker Process"4⤵PID:4048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 484 -InterruptEvent 0 -NGENProcess 460 -Pipe 3ec -Comment "NGen Worker Process"4⤵PID:5764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 460 -Pipe 498 -Comment "NGen Worker Process"4⤵PID:4676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 3f0 -Pipe 484 -Comment "NGen Worker Process"4⤵PID:5124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 350 -Pipe 3cc -Comment "NGen Worker Process"4⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 0 -NGENProcess 474 -Pipe 44c -Comment "NGen Worker Process"4⤵PID:5688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 0 -NGENProcess 4a4 -Pipe 454 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 0 -NGENProcess 474 -Pipe 3f0 -Comment "NGen Worker Process"4⤵PID:5776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 0 -NGENProcess 474 -Pipe 48c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 0 -NGENProcess 440 -Pipe 4a4 -Comment "NGen Worker Process"4⤵PID:5900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 0 -NGENProcess 350 -Pipe 4b4 -Comment "NGen Worker Process"4⤵PID:5792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 0 -NGENProcess 450 -Pipe 47c -Comment "NGen Worker Process"4⤵PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 0 -NGENProcess 448 -Pipe 404 -Comment "NGen Worker Process"4⤵PID:5316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 0 -NGENProcess 4ac -Pipe 494 -Comment "NGen Worker Process"4⤵PID:4332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 0 -NGENProcess 4a8 -Pipe 440 -Comment "NGen Worker Process"4⤵PID:5988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 0 -NGENProcess 4c0 -Pipe 4a8 -Comment "NGen Worker Process"4⤵PID:6016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ac -InterruptEvent 0 -NGENProcess 49c -Pipe 350 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 0 -NGENProcess 448 -Pipe 3fc -Comment "NGen Worker Process"4⤵PID:4276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 0 -NGENProcess 4c8 -Pipe 3c4 -Comment "NGen Worker Process"4⤵PID:5908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 0 -NGENProcess 4c4 -Pipe 450 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 49c -Pipe 4b0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 0 -NGENProcess 4c4 -Pipe 4e4 -Comment "NGen Worker Process"4⤵PID:5452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 0 -NGENProcess 4f4 -Pipe 4e8 -Comment "NGen Worker Process"4⤵PID:4108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 4e0 -Pipe 448 -Comment "NGen Worker Process"4⤵PID:116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 0 -NGENProcess 4ec -Pipe 4c8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:4924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 0 -NGENProcess 4d0 -Pipe 4cc -Comment "NGen Worker Process"4⤵PID:1936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 0 -NGENProcess 4ec -Pipe 49c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 0 -NGENProcess 49c -Pipe 4c4 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 0 -NGENProcess 4bc -Pipe 4ec -Comment "NGen Worker Process"4⤵PID:3696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 0 -NGENProcess 4f4 -Pipe 508 -Comment "NGen Worker Process"4⤵PID:5644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 0 -NGENProcess 450 -Pipe 4c0 -Comment "NGen Worker Process"4⤵PID:3308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 0 -NGENProcess 4fc -Pipe 4dc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 0 -NGENProcess 504 -Pipe 4f0 -Comment "NGen Worker Process"4⤵PID:5728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 0 -NGENProcess 474 -Pipe 4e0 -Comment "NGen Worker Process"4⤵PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 0 -NGENProcess 504 -Pipe 534 -Comment "NGen Worker Process"4⤵PID:5312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 0 -NGENProcess 4f8 -Pipe 4bc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 0 -NGENProcess 4f0 -Pipe 520 -Comment "NGen Worker Process"4⤵PID:5316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 0 -NGENProcess 53c -Pipe 528 -Comment "NGen Worker Process"4⤵PID:5236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 0 -NGENProcess 518 -Pipe 4d0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 0 -NGENProcess 538 -Pipe 4fc -Comment "NGen Worker Process"4⤵PID:6032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 0 -NGENProcess 540 -Pipe 450 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 0 -NGENProcess 518 -Pipe 49c -Comment "NGen Worker Process"4⤵PID:5552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 0 -NGENProcess 538 -Pipe 55c -Comment "NGen Worker Process"4⤵PID:3444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 53c -Pipe 518 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 0 -NGENProcess 544 -Pipe 50c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:6120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 460 -Pipe 4ac -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:1064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 0 -NGENProcess 4f0 -Pipe 530 -Comment "NGen Worker Process"4⤵PID:5204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 558 -InterruptEvent 0 -NGENProcess 538 -Pipe 550 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 0 -NGENProcess 574 -Pipe 474 -Comment "NGen Worker Process"4⤵PID:3812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 0 -NGENProcess 574 -Pipe 564 -Comment "NGen Worker Process"4⤵PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 0 -NGENProcess 53c -Pipe 558 -Comment "NGen Worker Process"4⤵PID:3900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 0 -NGENProcess 56c -Pipe 560 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 0 -NGENProcess 578 -Pipe 57c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 0 -NGENProcess 570 -Pipe 588 -Comment "NGen Worker Process"4⤵PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 590 -InterruptEvent 0 -NGENProcess 594 -Pipe 4f0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:6036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 0 -NGENProcess 594 -Pipe 5a0 -Comment "NGen Worker Process"4⤵PID:5552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 0 -NGENProcess 59c -Pipe 590 -Comment "NGen Worker Process"4⤵PID:5484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 544 -InterruptEvent 0 -NGENProcess 590 -Pipe 554 -Comment "NGen Worker Process"4⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 0 -NGENProcess 568 -Pipe 590 -Comment "NGen Worker Process"4⤵PID:5328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 0 -NGENProcess 584 -Pipe 540 -Comment "NGen Worker Process"4⤵PID:5704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 0 -NGENProcess 54c -Pipe 548 -Comment "NGen Worker Process"4⤵PID:5132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 0 -NGENProcess 460 -Pipe 56c -Comment "NGen Worker Process"4⤵PID:6004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 594 -InterruptEvent 0 -NGENProcess 544 -Pipe 584 -Comment "NGen Worker Process"4⤵PID:4164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 0 -NGENProcess 52c -Pipe 4f8 -Comment "NGen Worker Process"4⤵PID:5968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 4d8 -Pipe 594 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 0 -NGENProcess 58c -Pipe 544 -Comment "NGen Worker Process"4⤵PID:5724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 0 -NGENProcess 4e0 -Pipe 574 -Comment "NGen Worker Process"4⤵PID:5576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 0 -NGENProcess 570 -Pipe 4e0 -Comment "NGen Worker Process"4⤵PID:5508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 0 -NGENProcess 5a8 -Pipe 5b0 -Comment "NGen Worker Process"4⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 0 -NGENProcess 4d8 -Pipe 4f4 -Comment "NGen Worker Process"4⤵PID:5488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 59c -InterruptEvent 0 -NGENProcess 5bc -Pipe 5b4 -Comment "NGen Worker Process"4⤵PID:5304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 0 -NGENProcess 54c -Pipe 59c -Comment "NGen Worker Process"4⤵PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 0 -NGENProcess 53c -Pipe 5bc -Comment "NGen Worker Process"4⤵PID:5252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 0 -NGENProcess 5ac -Pipe 52c -Comment "NGen Worker Process"4⤵PID:5524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 58c -InterruptEvent 0 -NGENProcess 4d4 -Pipe 580 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5ac -InterruptEvent 0 -NGENProcess 524 -Pipe 52c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 570 -Pipe 5ac -Comment "NGen Worker Process"4⤵PID:6100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 578 -Pipe 5cc -Comment "NGen Worker Process"4⤵PID:5292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 0 -NGENProcess 5a8 -Pipe 5c8 -Comment "NGen Worker Process"4⤵PID:1220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 0 -NGENProcess 5a8 -Pipe 4f0 -Comment "NGen Worker Process"4⤵PID:6056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 0 -NGENProcess 5b8 -Pipe 514 -Comment "NGen Worker Process"4⤵PID:4652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5e0 -InterruptEvent 0 -NGENProcess 5c4 -Pipe 5dc -Comment "NGen Worker Process"4⤵PID:5852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 0 -NGENProcess 58c -Pipe 4d8 -Comment "NGen Worker Process"4⤵PID:396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 0 -NGENProcess 4d4 -Pipe 524 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 0 -NGENProcess 5e4 -Pipe 5c0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 0 -NGENProcess 4d4 -Pipe 58c -Comment "NGen Worker Process"4⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 0 -NGENProcess 5a8 -Pipe 1e8 -Comment "NGen Worker Process"4⤵PID:5364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 0 -NGENProcess 578 -Pipe 5b8 -Comment "NGen Worker Process"4⤵PID:1256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 598 -InterruptEvent 0 -NGENProcess 578 -Pipe 5a4 -Comment "NGen Worker Process"4⤵PID:4136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 0 -NGENProcess 5d0 -Pipe 598 -Comment "NGen Worker Process"4⤵PID:5864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5f4 -InterruptEvent 0 -NGENProcess 5f0 -Pipe 5e0 -Comment "NGen Worker Process"4⤵PID:4348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 604 -Comment "NGen Worker Process"4⤵PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 0 -NGENProcess 5a8 -Pipe 5e4 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 600 -InterruptEvent 0 -NGENProcess 54c -Pipe 60c -Comment "NGen Worker Process"4⤵PID:4592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5a8 -InterruptEvent 0 -NGENProcess 5ec -Pipe 570 -Comment "NGen Worker Process"4⤵PID:1512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5d4 -InterruptEvent 0 -NGENProcess 5d0 -Pipe 5e8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 620 -InterruptEvent 0 -NGENProcess 608 -Pipe 460 -Comment "NGen Worker Process"4⤵PID:5348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 5c4 -InterruptEvent 0 -NGENProcess 5f4 -Pipe 620 -Comment "NGen Worker Process"4⤵PID:6084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 0 -NGENProcess 5f8 -Pipe 600 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 608 -InterruptEvent 0 -NGENProcess 578 -Pipe 604 -Comment "NGen Worker Process"4⤵PID:4652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 610 -Pipe 5d4 -Comment "NGen Worker Process"4⤵PID:5852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 0 -NGENProcess 630 -Pipe 63c -Comment "NGen Worker Process"4⤵PID:5304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 64c -InterruptEvent 0 -NGENProcess 648 -Pipe 650 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:4544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 668 -InterruptEvent 0 -NGENProcess 654 -Pipe 65c -Comment "NGen Worker Process"4⤵PID:5684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 66c -InterruptEvent 0 -NGENProcess 640 -Pipe 660 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 640 -InterruptEvent 0 -NGENProcess 654 -Pipe 66c -Comment "NGen Worker Process"4⤵PID:3332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 64c -InterruptEvent 0 -NGENProcess 640 -Pipe 610 -Comment "NGen Worker Process"4⤵PID:5748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 610 -InterruptEvent 0 -NGENProcess 628 -Pipe 654 -Comment "NGen Worker Process"4⤵PID:3848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 0 -NGENProcess 640 -Pipe 64c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 0 -NGENProcess 1e8 -Pipe 608 -Comment "NGen Worker Process"4⤵PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 658 -InterruptEvent 0 -NGENProcess 628 -Pipe 668 -Comment "NGen Worker Process"4⤵PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 67c -InterruptEvent 0 -NGENProcess 614 -Pipe 5f4 -Comment "NGen Worker Process"4⤵PID:4956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 0 -NGENProcess 644 -Pipe 638 -Comment "NGen Worker Process"4⤵PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 0 -NGENProcess 61c -Pipe 644 -Comment "NGen Worker Process"4⤵PID:5716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 678 -InterruptEvent 0 -NGENProcess 630 -Pipe 578 -Comment "NGen Worker Process"4⤵PID:5012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 674 -InterruptEvent 0 -NGENProcess 658 -Pipe 640 -Comment "NGen Worker Process"4⤵PID:5324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 614 -InterruptEvent 0 -NGENProcess 61c -Pipe 634 -Comment "NGen Worker Process"4⤵PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 0 -NGENProcess 648 -Pipe 67c -Comment "NGen Worker Process"4⤵PID:5216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 0 -NGENProcess 5ec -Pipe 674 -Comment "NGen Worker Process"4⤵PID:3916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 664 -InterruptEvent 0 -NGENProcess 698 -Pipe 68c -Comment "NGen Worker Process"4⤵PID:2288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 670 -InterruptEvent 0 -NGENProcess 658 -Pipe 568 -Comment "NGen Worker Process"4⤵PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 618 -InterruptEvent 0 -NGENProcess 6a0 -Pipe 648 -Comment "NGen Worker Process"4⤵PID:5772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6b0 -InterruptEvent 0 -NGENProcess 6ac -Pipe 670 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:4928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 0 -NGENProcess 6a4 -Pipe 658 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c0 -InterruptEvent 0 -NGENProcess 6a4 -Pipe 6a0 -Comment "NGen Worker Process"4⤵PID:3548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c0 -InterruptEvent 0 -NGENProcess 6b4 -Pipe 6c8 -Comment "NGen Worker Process"4⤵PID:3580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 680 -InterruptEvent 0 -NGENProcess 698 -Pipe 6ac -Comment "NGen Worker Process"4⤵PID:4988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 698 -InterruptEvent 0 -NGENProcess 688 -Pipe 680 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 630 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 6b4 -Comment "NGen Worker Process"4⤵PID:1364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 62c -InterruptEvent 0 -NGENProcess 6cc -Pipe 6c0 -Comment "NGen Worker Process"4⤵PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6d4 -InterruptEvent 0 -NGENProcess 6bc -Pipe 6d0 -Comment "NGen Worker Process"4⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6d4 -InterruptEvent 0 -NGENProcess 6cc -Pipe 6bc -Comment "NGen Worker Process"4⤵PID:4344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 6dc -Pipe 630 -Comment "NGen Worker Process"4⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6c4 -InterruptEvent 0 -NGENProcess 6e4 -Pipe 62c -Comment "NGen Worker Process"4⤵PID:4904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6cc -InterruptEvent 0 -NGENProcess 618 -Pipe 6b8 -Comment "NGen Worker Process"4⤵PID:5468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 6ec -InterruptEvent 0 -NGENProcess 6f0 -Pipe 70c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5260
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\SimHub\SimHub.BitmapDisplay.Subprocess.X86.exe"3⤵
- Drops file in Windows directory
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 220 -Pipe 22c -Comment "NGen Worker Process"4⤵PID:3012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 240 -Pipe 2d8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
PID:5764
-
-
-
C:\Program Files (x86)\SimHub\SimHubWpf.exe"C:\Program Files (x86)\SimHub\SimHubWpf.exe" setfileassociations3⤵
- Executes dropped EXE
- Modifies registry class
PID:1256
-
-
C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe"C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.VOCORE3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5400 -
C:\Program Files (x86)\SimHub\Packages\SimHub.VOCOREScreenSetup.1.0.0.exe"C:\Program Files (x86)\SimHub\Packages\SimHub.VOCOREScreenSetup.1.0.0.exe" /SILENT4⤵
- Executes dropped EXE
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\is-213UR.tmp\SimHub.VOCOREScreenSetup.1.0.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-213UR.tmp\SimHub.VOCOREScreenSetup.1.0.0.tmp" /SL5="$9041C,2714648,57856,C:\Program Files (x86)\SimHub\Packages\SimHub.VOCOREScreenSetup.1.0.0.exe" /SILENT5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5784 -
C:\Program Files (x86)\VOCORE USB2.0 Screen driver\wdi-simple.exe"C:\Program Files (x86)\VOCORE USB2.0 Screen driver\wdi-simple.exe" --type 0 --name "USB2.0 Screen" --vid 0xC872 --pid 0x1004 --progressbar=197776 --timeout 1200006⤵
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
PID:4612 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:180
-
-
C:\Program Files (x86)\VOCORE USB2.0 Screen driver\usb_driver\installer_x64.exe"C:\Program Files (x86)\VOCORE USB2.0 Screen driver\usb_driver\installer_x64.exe" "usb_device.inf"7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272
-
-
-
-
-
-
C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe"C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.USBD4803⤵
- Checks computer location settings
- Executes dropped EXE
PID:1256 -
C:\Program Files (x86)\SimHub\Packages\SimHub.USBD480Installer.1.0.0.exe"C:\Program Files (x86)\SimHub\Packages\SimHub.USBD480Installer.1.0.0.exe" /S4⤵
- Executes dropped EXE
PID:2184
-
-
-
C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe"C:\Program Files (x86)\SimHub\SimHub.PackageManager.Standalone.exe" installsilent SimHub.AX2063⤵
- Checks computer location settings
- Executes dropped EXE
PID:6020 -
C:\Program Files (x86)\SimHub\Packages\SimHub.AX206creenSetup.1.0.0.exe"C:\Program Files (x86)\SimHub\Packages\SimHub.AX206creenSetup.1.0.0.exe" /SILENT4⤵
- Executes dropped EXE
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\is-O9IKH.tmp\SimHub.AX206creenSetup.1.0.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-O9IKH.tmp\SimHub.AX206creenSetup.1.0.0.tmp" /SL5="$E040C,2714648,57856,C:\Program Files (x86)\SimHub\Packages\SimHub.AX206creenSetup.1.0.0.exe" /SILENT5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1184 -
C:\Program Files (x86)\AX206 Screen driver\wdi-simple.exe"C:\Program Files (x86)\AX206 Screen driver\wdi-simple.exe" --type 0 --name "USB-Display" --vid 0x1908 --pid 0x0102 --progressbar=590948 --timeout 1200006⤵
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
PID:840 -
C:\Program Files (x86)\AX206 Screen driver\usb_driver\installer_x64.exe"C:\Program Files (x86)\AX206 Screen driver\usb_driver\installer_x64.exe" "usb_device.inf"7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5380
-
-
-
-
-
-
C:\Program Files (x86)\SimHub\SimHubWPF.exe"C:\Program Files (x86)\SimHub\SimHubWPF.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5804 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezdDNjdGOUUzLTAxM0UtNDA1RC05MzgzLUMyNkE5RDlEMjA2MH0iIHVzZXJpZD0iezZENzI3NDNELTAzQzAtNEI0NS1BOUI0LUJFNEY3RUMwMDU2RX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7QjgxQzJFQzgtNDk4Ri00RTQwLTg4MkMtOTE4MDQ3OEI3NkRGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtEVjBqSS9LRGx4aEh1ZTFMOUtSR0djcU9oZjNIM2gzYWNTckVhblFLZmdRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEwNiIgbmV4dHZlcnNpb249IjEyMy4wLjYzMTIuMTA2IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI1ODUxNDIyNCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:1628
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\MicrosoftEdge_X64_124.0.2478.80.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\MicrosoftEdge_X64_124.0.2478.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:5436 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\EDGEMITMP_E3A4E.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\EDGEMITMP_E3A4E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\MicrosoftEdge_X64_124.0.2478.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1452 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\EDGEMITMP_E3A4E.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\EDGEMITMP_E3A4E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{097CFA39-3816-4815-9F9B-C8BF7AA145D2}\EDGEMITMP_E3A4E.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff71d7a88c0,0x7ff71d7a88cc,0x7ff71d7a88d84⤵
- Executes dropped EXE
PID:5568
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezdDNjdGOUUzLTAxM0UtNDA1RC05MzgzLUMyNkE5RDlEMjA2MH0iIHVzZXJpZD0iezZENzI3NDNELTAzQzAtNEI0NS1BOUI0LUJFNEY3RUMwMDU2RX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7RUI1RkE5RUYtQjFGNS00RjQ4LThBREEtMDYzNDc2OTdDREMwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjQuMC4yNDc4LjgwIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjY4MDQ1NTA3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI2ODA0NTUwNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1Nzc1NzQ0MzMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzQ0NGFmMzBlLWYyZTctNDBiZC1iNDViLTU4ZDU5ZDAwMDQ0OT9QMT0xNzE1MzIyODc1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVluVFdhUVMlMmJhaW0zYkdiUDZTZ0g1c3MxQkVyVk5IcXU3QnZ4SUgyOFhPOUZpZDg0c05VJTJic0hHUlVSeVZNZ2YxdjI0RHBwYVloJTJibVJqdUFzSnpGNmd3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTcyNzk2NDcyIiB0b3RhbD0iMTcyNzk2NDcyIiBkb3dubG9hZF90aW1lX21zPSIyNDU0MSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1Nzc1NzQ0MzMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTkwNTQzMjI5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDA4NDM5MzY3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNTk0IiBkb3dubG9hZF90aW1lX21zPSIzMDkyMiIgZG93bmxvYWRlZD0iMTcyNzk2NDcyIiB0b3RhbD0iMTcyNzk2NDcyIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0MTc4OSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:5788
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5200
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:2404
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
PID:2156 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{25a63da9-268c-b741-9263-cd8ee98022cb}\usb_device.inf" "9" "47eb97ec3" "0000000000000144" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files (x86)\VOCORE USB2.0 Screen driver\usb_driver"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4584
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{079e9d39-8786-7a42-a7a1-e8db71e68cde}\USBD480_Libusb.inf" "9" "4b2365517" "0000000000000144" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files (x86)\USBD480\libusb"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:368
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{db3b9a2b-114f-254a-aac5-df22dce147fb}\usb_device.inf" "9" "4fbfa3bc3" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\AX206 Screen driver\usb_driver"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5140
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5132
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x4701⤵PID:5832
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5bf15493ef9efc67d454ec44d081701ca
SHA1c1e574df6ed2914aac30d0e0d1981d20c2baf544
SHA256cdcf50775b02ba0f092bef63687259ce2e9ee88875a89a9b98daeb5e9fbba045
SHA512db439013e76b834f4ad679e6e45fec49250dd1ebf076dae7bec02f20c0ac141bfb7f3c1d6fe01863532b97ce1567880d64fe823cadcade469e342ea3d60579be
-
Filesize
18KB
MD5c3fef30d555cf02f9a8b6978756254ee
SHA164ebd535f695dfda388e7c8d8d07a15e85320dcc
SHA2567d24957baa68a9bc66d7110c473bf38697948f5ef402f4485ba4d744ec847f82
SHA5128614cf631e58ffa9d6147fa5700ac95ef9ff5cf73f6d06bfbcc035ac1d3d90ae1fee2033007a4f1339101a844a581b95fb29471ca4ff6139933fa78a1b243faf
-
Filesize
20KB
MD533480aa91db0e1c28981c4dcba7dfdab
SHA11c12edc25c105ec587a55a2764f8397a03ec41f7
SHA256b8d5e8eebcc05ceba8332baa85ec5d872be34845fb00833387e53096b4037504
SHA512aea04dfd0edb8ae06200d8b52ab727ee5e74b81e6c61b6d695195ce31ca2dba6ecf43eb097abf80fc3b5d15169aeca02c3135130fe14214980436b8ecdd19dc7
-
Filesize
19KB
MD520e247495c2a1acc5269e5fc714ae853
SHA15952e1f38fa5e3229f1ce1333eeb34abc1ea058d
SHA256f55e04a564138847c6ab7e4cdfffd99dea3e334a845296568777c05a0a15d073
SHA512dd566e1922bc772fb9d6278a148d92bd067c72b80f1d751dd6cfe0d47e93e9a87cf37113f485b682ac6fd427a7e9828cd766e76b70b0f759de3ef1bd763ca21e
-
Filesize
708KB
MD5431856bd89c8eb2a70544e1976cc8e30
SHA1cce500a59d8dcd09543b24f031e613f4072cedfd
SHA2563207cbfa4a62352b40e9cd925a88046fba4ad1fbba445420fba97a05019ba914
SHA5123e2f1c914e14580c4d2bc9e63a6f0bcea32a114840878db7eae84be774d2facb3b5e71a8362f1314a21ab9c41d8fff9791794ded2389a9d59fa389ab2da443c1
-
Filesize
3.4MB
MD5d46a57dd162e13ec76d6312dfb25c73f
SHA1ad64a68a7cd54af99b44ad8ad488b104db598d9c
SHA25668902faf7d73b3ad3e15006df424e1d844b9f9bda911294f073110ad1d5dc617
SHA5122bdece7d55195b517c35c433d39f32ce2584a14afa8679a90a9622faefba80f9bfd9c7293069f81bee3633de0df0f07a0673d78f80905525d2e197ba95bcb413
-
Filesize
6.8MB
MD51cd79627301bfdeb1d3fba51cad868a6
SHA12b71bae909047dd0374425e9df941ef93fb696dc
SHA25674ab283991de81543bff5786ad8bebd41c243bc00beda305da00c55a60ac2093
SHA512839860435573bddfcbb950e2986333dd43ab5df5b2a0032fb18cd25c736e94d998b5ea1fc1e1b0c1d02a28b9615653becc4b535434bfd8a7a02f5995acf1808f
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
179KB
MD59540ad83a08605ba1f52196424ce3067
SHA1a533eb61319bce1720b55d8921691323a4178c3d
SHA256b0b5d9eb6f4b176bdfbe4da0a060ad1b76c813186fae3d9a6e1b1dd9ee0d01d1
SHA512bb00ee12c353c9deeb8105399b2a956343e4a1c13dd1198d0f481c4f699099a34ede80f15bb4efa9a1f68c2c12ff75da163b48bfdf30353d5ef5d4bb7c174493
-
Filesize
201KB
MD511fe091ace9d03b9ada6d5a22d12c0d0
SHA15379ebe84500d425586904e7f9ac0393ab2a9d24
SHA25650f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee
SHA5120f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf
-
Filesize
212KB
MD57750d94e4719ba69f5f83213444c0015
SHA1f2d49b2d5c3bb372a5c74513de0744f2a5f3fe5e
SHA2561ab31694ff0b6283fbb6ec062d6eab9ffb26df9d6d1ba140cf60a8e7a4cb9fe5
SHA5124aba2ff17870e6e20fbcfe8d31036d52d9b2ae9df1013e1140cdf321bb4da0a8f5cdbbabfbee758cd2f2bbe2a3b10f25351f9e29cc5f5d91baea6dce2c83e714
-
Filesize
258KB
MD53fa9ae698a600ff3422995504cd088c4
SHA1bb0b798291c7e37c514d8fce11b8c777d13a6b2e
SHA256a8e1533f87ac5273f908fbb67edb786f231fcae44b49dd5e6ceb3c777c1f01a9
SHA5123dea12c2f30fdd5cc4125de40ad26c9f1a69abe8505c863b1469f47349d79f2b51ab037009e500291085366abf0ee2b24d16a3eb419b715894b924af656d2b04
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD50bec55833f356f89b8d9d63727ddc43e
SHA18dcfd2b8292ab7a585a8a4e40d61b81c96b63f5c
SHA256b360afadecb2334ba103d515c506e792cb9aeea5925a6cf85dbfd786a225ffc3
SHA5126592f21800f91474d2ade6102a0d0d36097e5552278e5aa390e52dccc838b323f9a4b89b6c879c56621d0de84a9ef054f695a6fdc267c9142a3d234bf3a2460c
-
Filesize
29KB
MD5ca3b6944f47fb398e4656d7076e3d247
SHA1592c966af88cb9fd39250d917fe4876bb213d36b
SHA256d1d58d338db2f0f885d7e945613c2e6b98ce02534a2635c392cec04e8c8b5f71
SHA5125be93716c178401e809aba922b05abfe4c6585ac8544ba6fde1ae16af87e571ef28d51f8d71946d5acde96370d39bef8d85349677de16b3e8009ba3f57802b46
-
Filesize
24KB
MD527b4625745b0d9036faeef288dcdc71f
SHA179e2e6590a0f4b6af97796058595e8df77bc4b8a
SHA25674fefc1ad1bca85ae3cdcb197396568e9ccdc3de9095cc3e787e6e28f9a04487
SHA5122f4e0c4478a244c3b1632f282c7522efbe9b2f03d6a8bb600f0d833c61fd74d7bab32683b1c0e40e58b2d30640cbf6e9b28c03b179e168a6cb7bd3512bae3f2e
-
Filesize
26KB
MD507b160c1fabcf30a0e3e907f1b12177a
SHA1c5435df1d9bc93ac87870c5d8894de8481456de9
SHA256a78619b34f4566ff3fa834111d6f02fdeb5e82ceae2167f51a85aa902f4ad2dd
SHA512cbf2df29701b0dda648f2e208596c691e1caf97d2e3314749b6a3ad899cc057f66cedbbed4d6362b987173a925e73ea266d238c9d985d03b7ffd5c32b0d0b3c8
-
Filesize
29KB
MD50e38b9e9fde2583f8dbb61f2522c1996
SHA19e6a952387380bcf54dcc9d040a2d9051a63a1f1
SHA256ea9786491db2b6548e3c935cc4f8382fb1534b3b67dde1ed6b9aa003c9a7152f
SHA512f17d95eff5b23d2d11f161a66ef67c61c34c0190ca7d11d8e30f4504f5ecfec87a02fd474a08061433e8a431d78ed92fa9cc087863f3f4caeb2b5616949bc11a
-
Filesize
29KB
MD5ea96f65e817ac6899d6732cd880f744e
SHA10fde259d82e3c300ef2461e660208fdccc339e64
SHA25606bfc34d181852321498c49fad36701a5f854ad6e5588af9e141a5cef838165f
SHA512f79099fae7d98b9208aa5be96f28d9855c5e81cd9dcc5874ed2e41c8b720f32e54fcfdedd44e075892967768f42833f9fd99657096ee10af38d3b663d48bd603
-
Filesize
29KB
MD54328bf6228c408cae033fb4acca65640
SHA1011fd7ddb7c4551abe683cb005920d85cf3eb10b
SHA25673a10a15a4be54f85e4103a994c8a628c34034d085c40627fb4f18b499379de8
SHA512a50a74fd675ed3b791bfa5a93ca9f910c5a9052e9990de0132606779a333007d305f4fae1ac9f193335cd8207a17b00e2848a87aaa09e7900df189103fa0cd92
-
Filesize
29KB
MD5c4457c581afbf9e1903fb309d8d08bf7
SHA1fc52fd6cc2de7405ac69674f74cbef43c92c5295
SHA256f409b1cce73799d3ed0fbaab72c3331cc597787680e2fc9dcd9e2803f62e006e
SHA512b8bc722dc801a9c50a972dc9ef5ebb31b43bcbc7d12cb84d0b3e64749781818963573f0bafe646160ed9edac5db5b72d7968d3e5ff908da256079e8dff4ec2d0
-
Filesize
29KB
MD54ab2b866301da9ffd1a2d9e1d2828698
SHA1bf49d684e192f14f96ab03dd0f8d9e5817a0f1b8
SHA256cfffd594b203016e13fa74c5382c1c6b46f7d3f0817eb4d649feaf3350a401f0
SHA51260874a1c999e646a11217b3d0c68af03b7b2e1210f65e8e922a2cd8741bcf1e687bf74b97ffa0082962df2f534fc4c2ca9c28c4822a7e2c50474810e42de9d24
-
Filesize
29KB
MD5139d647896af07432b0c810977139fdb
SHA127b2f2915acfb3a740c958282deb2f418df83d49
SHA2560f3d5ea311f13f94b8c0f9bd6c8fe8351ca85a9e92d96b3ac3a54e87a2167833
SHA512cda3135620409f12fc7ee77c53233af4e64ea4a7e3a7b2af3534b015b410221e500a1820cd5852236236ca8820521072eba4128efd6316e1bc7863360c07baf7
-
Filesize
30KB
MD55801a2b7df808227d967d2e0d147fa4b
SHA1dbe2844fa8bcbebc227b9817bc0ea8dcd1634b13
SHA256cc02b8e56ebe97d640eb3241d6dfdd76c36d8ad9dc6fd70c11ed6a165f87dbf0
SHA512b6f77f1284a05aa4d9e69b2f459691f8bb79466242c13d1bf011d4edd6a43e742b4541ecfdd4d7aaf7b6e72b3540d41ebfd6074086ed1a4b56ef6b852d91ba0e
-
Filesize
30KB
MD59cd4f750ad9c689151ca0a278c3774bf
SHA1cbe0a7601db4ce0aded6e18c9647750a4e03a8c5
SHA2563569e7eafe649d9b4e0fbea1db33d4a7e6c350e4031f9ac40506df4828892b0b
SHA51238e723fbcc1ae59e50d8f8ffd53cf77fd32a64686f24a0670287c25dad7fbe4852ba968f223cc5936b2a1af453e5d2d5f3cc190e07ee0a78c55f88a0c3ecb940
-
Filesize
28KB
MD514fcd6216e82727e0a757f0f6a04701a
SHA1ceb886836ad9dc04b2758271d55cab0f6c6146aa
SHA256777b0583744a3ee8e32586262d34a3d231482504f37d1b0679e1dbd1e10bb854
SHA512e963ba587017d3e579f3839a0fa0fe5be659cb749629a5b98e7b02184e811a943ac18d66c927ab45c54869650289ec6e3a9661ec40532fc2ae578a5fb15606f9
-
Filesize
28KB
MD5d082255c15ca45655f999c60c7e44653
SHA1337bb7b65c8db5305814fa8046da0d790c5cab59
SHA25631c054f8b4c974d6ac436ee21828121f600a1dde0eb5bb8c7fb41c47ffa9563e
SHA512662db73cfe28995149aa4a3d2f877fd7b9a027a4f322be9ee6ffb19b8aa4d97ce3ea1fcc13c85c28a9ab815aecca1b0baa69109f20cfa73a46cf8c1be586dfb1
-
Filesize
29KB
MD58355353da56dd6ba036eeedbb10ffa68
SHA13e20c8f35cabebd04e7162b9567fd3905174127d
SHA256678888dd82f5cb04b5727c56699c70d442b35ac65338bbe9ac45ed8d2a32acb9
SHA512000d0a8648ca4e8433568efc422f3caeed7c53e764878aca11f8b7405850863f8a7bea4a97fbb0076db961d3f09646a00bb3eaa0e4e3b81d949ac2aa033b0827
-
Filesize
31KB
MD59e0645c2970492f18a9c16d053ae47cb
SHA1c91f0ee7dc0dc0213776728b152a5c3597b8e1c0
SHA2567bef8830bdf0fbc8d84d85946a28cafe05fc47528741bc11998805982a3b421d
SHA512c4277b7e7652bd342dbda6d2d22acbaeeb9ec1321cd91ad236575d0c8f504220736218711e91f0984e3d2f06652101f52aee123163d7bf3cd173c7ec2d1325cc
-
Filesize
31KB
MD58b692911c2eef0d2e2fbc8ee84c39e03
SHA1b5f558a2cbfee2dcf1cf5f7e5dd229309f5bca1e
SHA25668ff5bb5a44f019c7c8a50cbf9ee0af264b4782e6516917b4760c0b05d247161
SHA5126a4118eb9d1bdcb4031db82682ee919f62d575dc765ca0a65028bd31c8bdc061155bc2139318916b3be3572b6a3656d194e3a925b5711241f436267a9af1109f
-
Filesize
27KB
MD58ff46334ccb442dbdce0b04e84cc6364
SHA152a7dfd39529c0669d8fe72416876bb2b241741e
SHA25647c08c6be842b50d119c4921ff860bfc1739efdb017de42c1247bf0fb5c1e254
SHA512b23b74b2c7f76abb613630c888eff8ec2fe6c28138522ebed478f6d55e21917e658f269ef0d6014e8778225b81e2839cb965a1ff243b5639766bdbcd52c28f47
-
Filesize
27KB
MD55d365ca4dcb28432aae57e60dfae29f7
SHA176150d3ae3070e10f378df87e433b1324f5f008e
SHA256990051016c4d565d20167c62be48e92ecd840231bd0ff21838d105cbea750ed3
SHA512f46fb26ef0ce04eb0655cd4ed769b5af055ccec0a15cacc25c9bdd6e3c3a4ca501164e5093eb7381d00ea28a3be59e69762ade995a421c7ce8b1944fd2446465
-
Filesize
29KB
MD522b0343d2498e2a0b9d4168d480bd6b8
SHA1d4dd3b497b262905788c7abdc791af1cdd80c6a8
SHA256094dd4e1d9cf8114145c254372b0ac20f6593f16f7b53e02953bd21bbe26a4f0
SHA512970fd6cb5fa68e2e12a6288b00250a3c400939963298bfe7610edced53036990c51edef7f5054c371b12eb992ce8e05b1eb7af4d9ba61e0af41096a9ed64957a
-
Filesize
29KB
MD517006114f71cb462041e1ec50a952047
SHA13062f6d33dfa215b18492a3e0a2d0fdf41a08429
SHA256bd195bbeb179e478cd1dc4bab518568edd65603e3d33b11b3298ccd1995b183f
SHA5125d7fe67bc1d6e22c9e7c13df5a5b9dd039eb77d94b991908a6e23ae703295d2c857b38799c30b40cdb2f3bf503f951de54e11fd65e6f482bc184ffab54ff443f
-
Filesize
28KB
MD5e4a76fbf2d73c51f37bb96ef5b76ceaa
SHA15bc9a30d11fae80286f0a73db5900e9b2a94fc30
SHA256a1c067279ba80bacdd975117ae5e6aad9923b3138340d25d08742163107d7313
SHA5120b4751d5a7914daecc8f0f620dff0228bfe1853af901c6ec277656f3c568d916bc1e1d22bc737ee3f54107fca6ded731c73e80147e34ce3b81c276f8b6d2b2e0
-
Filesize
29KB
MD5a5824f125e7c5a363618e10eb166cfa2
SHA1b9265cee687f031f52eb6cfd6ffacd728f7c9c71
SHA2563fe2d705da261a98a8cb375d59ff98b0552b61e7c57132d46126fe4646b2cdd7
SHA5124b2c4fc806097320a56c2547d2962f21e99e6e17a211cfd9aab1a7845dce78d958ab6a03481cb2a827ab233afb2cbcd059bc6e211f8951c1a2e3b7ac51825b8a
-
Filesize
28KB
MD596e70c3aced49e26c5938bf5ec7e7a7f
SHA15fe35ee220c39cf8cad8d434b49ec31fa3f729ba
SHA2565f8d8a9d207108426a3f4776786c4a7b5d70db237ded870b9a7ab191602fd83e
SHA512af6f420164c2504a6c0fb3b62c89790dc3e08ae0b847e0a888c2c793aa6198134a8c18914fa0a5f3153dcad51698cb7125d2c90ae68de221042cbb97b7f8b78a
-
Filesize
28KB
MD55ce5cf921d0e522b8a05efa79031cfde
SHA1a081d73ab637ad63831b0e05d0122e8e9036a41b
SHA2566d049ab238bffbfaa0408460f3d76bc23bfd62ccf57659beaa81346e2dd69e98
SHA5126ef468f6f6b6186fee208b3101c089a168bfc286fd7a84c220a72be085744c70b30a299cbce1bb0c25689da1f348552322a6451277be604f211017ce6d16f989
-
Filesize
29KB
MD54bfe23c9930f814f7c9d977525cf2046
SHA13a6147006bd805a33d7caa647e8088a257061781
SHA256a9a40611ddccf179b8cd342c07d947af951f85072b598b5332ca772a5ce7729a
SHA512a235eef64580b8922e5f507f9bb2080800dcb4ea6b156150d2266748ebf38c2eb1e39342b01856ebd9e63b6e89c2104b434e444277dfe03e549293c928cb89bd
-
Filesize
30KB
MD5e22edad44e45a6e1da46e0afbb318052
SHA1d35c28b112fc386c6f4c52e4faa2ed8a56a4f6eb
SHA256a7a163fbcbeffbfd4655e41d162817a56b8da8b679b139a04961e830ea5ad05a
SHA512e750271aa41b402a5682f6863e95756c91afcbd5a994453280c7dac3973da3ecaf0fa0689b962cadab492ce90d510a436bd773c995b93ff6b40007371cdd2713
-
Filesize
30KB
MD586e02140bd5ea5090460ab7ac5c5cf08
SHA13cc00afb1b108b2247cc38211b64bb360c1419b4
SHA2564edd7b2ec1438f6a5d56eb0b7fcd7a42f2110eaf57439283afe85f527f9c1574
SHA512a0e6177a3791e59aebcc960cdc2861e10b6a20e0169940f219c92cccbd4827afc47bbd94a5629d25a9f2d547e8e2094a3c96aa55a1bc3fe9b744c07436359e95
-
Filesize
29KB
MD5912713dbc1bf81366497d2c10ba3783b
SHA1cd42a85838ef70f72c2faa5a149bc6a904f81585
SHA256f4b3c90ab375d5f465e2abc2bdff37fc41e4a1ed44ebf8370cd9eba7408fb586
SHA51211b2b1b726b314a725d24fa3c8b85f9c05a1643ae768adcad4b7006870b728db8688cf708f355ed8ffe2cbc24fb874dce2dbad86231c045b454dbcddfde35225
-
Filesize
30KB
MD503cf202f9262f42dff2b35987eed7c95
SHA12ccf4e4b8f55d61032048101c18a4b6cc7b6a087
SHA2566f033953fdb5ad272ddf29299577a4bb8d9a53bda4b3d8ffffd8d56c542c2c56
SHA512c1d65b8457fa2b0998aa6500b585c14e177154ae5cbf08cbb0ff0fd7a1d82e31520f4bee4ad20badeb91784501057b1a968c7d7d8415a2f7683f1a434bbca30d
-
Filesize
29KB
MD5e2bc2cb179b0758f9deda1fde5f60ae2
SHA171367f007ab0daf92d954b7e86eae037ec2fa8f4
SHA2566a2342b270f775433bc77f9d48ab8f71b221c3cd60d84e893314bebff19c4801
SHA512ff3a3afdf1780d6351306c0e00fedb59c020de68499005726e57487e9c5045636e59baffa487ffbcecc95f9bace000f66d1c3bf3b107e309e3cb522d45dc7b7d
-
Filesize
29KB
MD534b01daded37b4003b71c63712ff2577
SHA17cf99924ab19d94dca8a51d00f95ffc29b9f8e98
SHA25611ffdf625eb3de49818a1a6288e9d7a60f4f3c8951b163eea84095ffd4ff871d
SHA5126a865be6b2c5103db06dd14777833bd4835f10c2a282c5edd43325fb0c1669fac875367f4a4f3d98c26c55449682ee406e7c882c16d9f48b41f3be533d82f161
-
Filesize
29KB
MD51b10182ad3f07c112f26fbd9f7a43848
SHA1b9b9b4bc37a9dc1f9a9cb11df44583594d72f6e1
SHA256381cbc579d5200ed6725a0dc149dd04703d157ae793d39be130d68eff7109c02
SHA5121575d4f0f756aa5bee99c0b1f60ebca946abfcba08b180b13eb9fd966b05c44cff94ee2db6b5fa7025b5f0247f06d5bcec3c790a20c1086a59933aa7e5cf7097
-
Filesize
29KB
MD5e03b903ae9e8a21ab7e24230c05ff0f4
SHA16c9b3354c0b5a96b7f062d94bf874c67ebbe4c72
SHA2569fbff63d4b7dc5e94958bf657321ff8f93de76394f78ed679863072d4ed3062a
SHA51231b7322288802c58e7b287605bae0899bd4bff0b3b1c1daa2898ed32453b5e8d0d4d5b508c79c6236e924a23d61321981d80a80929dfe875bcbe6fd0b4400b04
-
Filesize
29KB
MD5c4404953c519113d70e8fb19ce4b23dd
SHA1c01ab7651ab1e3ae24f146ec72bf53d64001e14f
SHA256e903ef5c4ba6872159e21dc6f4afa9a20113868cd99ddb8857369637053c3b05
SHA512a575ba69f83408b219a6b3b63e031fe37d691de67e9b069daa43091b6eee3089100c1f15d34c36f0a40e086d97568866386d52cf60f0160296ea2db745b8c567
-
Filesize
28KB
MD5cad5e407dc341f661f3675c821807c84
SHA18581e431be8308b4a0746719898f66a2e4efbfd4
SHA256df5d8fc7010fff00081f71f3fa2f8a384f45f077caa9afb066d45a070308581e
SHA5126fcaf91c27feef117430a185d6189bdeb4c438186e4307a6c91c43cf9584c236b93ac04fa549eeb7f63e13494e30d58fd295068d7572cbe8beb438666a4fcf4f
-
Filesize
28KB
MD5fcf71fc0b6f12c6d3ccb03418228a538
SHA190afa2cabc9eda94a7d01689f605e59601481cf3
SHA256a3b8c23468dec69532ad374b9a3475e552b941d965ffcbdc6de0f23d58baeab4
SHA512ca804da85ac67fecd46a5820328f5f209ba08e3f2ef587ce1021754928de36f14f47fe08ddffd729d1d0ff64d5c7dcb0d508818248ceedc5c83fe0a6017aa031
-
Filesize
30KB
MD58986d1d9e5fc10d99a45d00f2858ef5c
SHA149102f4cfe2dc62ef633fee73678a16f8c06c136
SHA25664576a5588c0facf99197d055c9a6a9b0db9a25c5601087b94407dd79fe44ce4
SHA51230a094bf7d0db33d54581da8708f5f19cbaabca041e7e559b849f9581e22b8d3415093461e33fe7091acf643e02847c6edbd71a107f462f0057a4e9018266f95
-
Filesize
25KB
MD5785d4681543392b616bcd95e52da7998
SHA1d538f78f7323f50d01f2765432705ff30ce47930
SHA256b05c9c1312c869cd6ec5682372bfb01b3e52a60a01ab2fe68afcd6fa20a8cef7
SHA5128031fa240100e6fd6721affa3ca37e6d88b6341b51d299f03736c31c67fcb2e3c105ecd8f27a6570e69a60616008c9868da424615f035e3d25a89cf95e63e622
-
Filesize
24KB
MD5ad20644a4ef8b16c043d4c1b68a0e771
SHA1d1bd42edd650c3141a58c6ff0aa858709b7e0258
SHA2567f2eacecbcda9339249b386ce8e23611e94d2fbec3d90121569d6f1cfdf6f9c0
SHA5128cf2e34a23f99bf8c37bd5727c8ff6b7666f7752427df8b05d8d82e5e7d97786b4ecded4031bde32d91e46627b169e8d31b2bdd2119c6b755731a787364c0e1f
-
Filesize
29KB
MD529bb41863ca31837876d4acac58f8a47
SHA104add82abba27c6ce6922709ea864ae4b40fa8c7
SHA25620fcb7142b72803b1f74e52d434cb28eb09fa8ff2d178e5edfa7fa5885552e5c
SHA51200d3a9c33ba5b7b995cdcea97e708fe4b9e14883e0b14f0547cbce5b1ba54c338cce7ae81b18e53ab3072152e748528710ff0bb49197970d4f1d1fc700a1ae52
-
Filesize
28KB
MD5f53a96193b592c3b5fb18292d59c9bcb
SHA15a218c70180f408d393397b9a9c2c34d7deb8992
SHA256e6244f73585ae3c74a0df8e077a58da3dd7b7d914b991747686edadd6de7f87a
SHA5124f1cf04a8f50f3c9cab562d3df52dc10cc98232a50fd99a61d4e7557a3c1cecf5cf89d7db1bccb42467f1e3ace2057f2359007ddedf9f831e4e9b16ad2c046e3
-
Filesize
27KB
MD58cb769dafb0dd354d2b567160bf82a63
SHA1beba881af68b4081ece5c3baa70864225c0c7472
SHA256926c2fc5f0dbe67a1da03125ca00fe6fad055e9fe65bedfb75aa23fbea289e8e
SHA5123905e30b1c47e4bac91ec09bd08f9c23bf1a5015f58ac843369632d58315c53372a2b87e9d0560b95803941be26b066b4b2413c9b66f2ab9288bda1d6a99b804
-
Filesize
29KB
MD5790d15a76ad2a23841dc9fac85ddac88
SHA1cb30bb84d28d97cf96c767833ef6d2357a15b437
SHA256927c9d8800e490b0f6affd0fd93dc4ddc27348ec7bcbf594b0866b7ece46e33e
SHA512011806c6059c1a25fe451d04339641e52e94f8b582d1a60a80260584e8aeb012df30d01496de7e7cce942c631922d12271718806ac3656e207775e98b2cf8166
-
Filesize
23KB
MD523a9415f5fa8793237b1a6500d683189
SHA1e8e628e9237402051f331d01e1c3bef4ac407a9f
SHA256d56e63986eb323739599da79b3a8b1db4fc616668dec44dc878195f2b86bca1b
SHA512615a50c7e062e7d75e13bad2c23867fb6b543bb2969e5b32bcae0b1874f1cb15179021599507c9b1bf16d7dae0bc22c1e246411c9cd643772314a7561a5d7140
-
Filesize
1019B
MD53deaa0efdc1a76e64cda5819c5bba1b5
SHA1cc2293f57ca2ae3f97389a820b814c4abda83210
SHA256798ab8fd87d8c613b2384aefcbcc7acbfeca4505467aa3cbdeac64ca115cd1d5
SHA512ca27ec7b075d00a224abe1c73c602e7a5b23bed5885cefb7964a910ef31faca8f8b833983bf531c0cbd9f7b1d29eb63860f698c912a6553213414b2557dea784
-
Filesize
865KB
MD5af90b7e01ad08606b0f1ad4a394562de
SHA1fafa4283e5d0eb07ac447709a19293f35913941b
SHA256956a726e1d43d3aa58fc9f773ae38dd9c57e593035e56ced80cd92995a999de6
SHA512f871e27dfe3b13f99710fb1c7fcfe43f81117683543e46d4c3523ace2f070e3ee86788f25f14fe12023f33bab198cc627f178457ae978e8a62e1e2615e9ce28d
-
Filesize
804KB
MD5144d56afcbfab33a1e4e8b322a2b6a43
SHA1288038b409734a34783042fc73f81d06237d362d
SHA2561805db217d72ad94ec0b4a7f1a2dcef7a2154f436b5f7aa1c0f985be464bd0df
SHA512669156de8385d90e7cdee0e7cf425e3a1f0e769faeff5e7f4f250bd3753b6209426eea476240cb0db843c8011aa9e03ebe52a23f4e4a9b5bbd1e39e5648f82f6
-
Filesize
434KB
MD517a3bd6dd6c9239ca254cfd093f98514
SHA134291601ab21e58dfa3001a79d1360d643bf1bdb
SHA25632a67df3d387d02ca4deedd0e9a329535ce82dba9aca85d275dda0e5ddf9b20f
SHA512c503d395fc67af76d5d9f6fbb181034ac083e3d2780b5dc2e82fcdc70c55c634c70a80282318cd73b13f5030d84711cebb37113231b629a0d413482636f37a34
-
Filesize
390B
MD504a5c9ee72d1c5e0d28ce0b3fe36c401
SHA173498d37913c99c768ed4716dacb3ead6985c1c3
SHA25641547d3505e25c1f44e3ce59e0a6a9c7ba71b90ec2862ddcb002f2211997ad7d
SHA5122635d1ba3b796622ce8da5f083bb398d27e962b7725eb15c740b87443dbc5aa5829b45da8745a7773c07d08417bbcd35c22587510a308605fdeab962758be92d
-
Filesize
218KB
MD5237415e07b5471cc765a6f217ea330c1
SHA113026427a7a1e22d95a1d41cee8ea452e8383469
SHA25640ce7ea7995d25c558a20201c550c864f49e0017c70ea41627c824a67ee150d4
SHA512bda41e5954b3eb65710ad7b326e44f4cac8051c55a5dc82707baf22e0f073ec7e86d58ddf93c11c53e085c40247eff05c87b74d4019191592aea7aa3ce646bec
-
Filesize
250KB
MD5663079b6b5a2b9b49747ab49f427c19f
SHA132c4df48563e6a54e32337d7bcb3e5c347bf91f5
SHA256d36d9fec31234ead865e6bd1cbb2a77ac77e377c63994692d4fc952270e0e2f3
SHA512558259b3a4f0180cd70d1fb272418ce6a6e1ba76fa7fdb32b783e0eaa01160fe70b54d80705927fa9a7d16a376537b0f39e0c381d30143b7eaad458f1928fdab
-
Filesize
2.8MB
MD5422d01e7691028b9ae7d69363c0f5e71
SHA1d3e8e888916122a16a799a76eda9aa12c2547a79
SHA256ee96920efe9b54ec3dedbec544709722992c9134bf4fa2f18ecbaaefcc2870d3
SHA5126890a708e0401039608a3b19ccec6b5c57b329694a0db06cdbfa58c85582f0650fd156fa65f149a2431679b4368ba507e7d9bb6000b2ee00ab4f1f81532bab66
-
Filesize
1.4MB
MD534a5c76979563918b953e66e0d39c7ef
SHA14181398aa1fd5190155ac3a388434e5f7ea0b667
SHA2560bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
-
Filesize
869B
MD5c7e4cb0940f5e317f42a66225301124c
SHA1d20794932e3520f93f586f879e14497053ffbfa1
SHA25689b7a719f37fb5f05eae9ac2cfca5524eb51fa93493d18fa986dc843188ed970
SHA512585cc61ed9bcecaba62d8815a493bdad6e75d795ce107fb9effb2043c152e8108108f693ac697f303ef83446e951cb69d80ed036f2290331b1d275597ae95652
-
Filesize
8KB
MD5929b319cbe9417b3620478e878300b8f
SHA1709064eeeff7f62dc2b14c963bd34dd695b7b008
SHA256b79815fc390c051337bea4731c0599abb57eff30bdd5dc83f95067e9b71cba55
SHA5127fb77356029f369b94ef6f66fa176eee57016cd262ced961ce62c00d9497bea95be3705c769958900a5ac8b31d0eb8d37b612332a3a13c64478be745ab791dcc
-
Filesize
3KB
MD51a6c9a835dcea0482f98a7010eed0a3d
SHA130209d8a23fb953fcfc966537238fdabdc242f70
SHA256d55cdefc515f7856999d478c3ec8d589c47271fc861ccfcc76c5a9efec521e6e
SHA51285093ff884c6c97c76d784f148f46aff5e38acc1bf23ab19847589009be2f38bef4a6896b9e5f92ccb8641eda785f9d1ba8e0e7cdf7cfce4a877015ef0ce96d3
-
Filesize
1.5MB
MD52fbe10e4233824fbea08ddf085d7df96
SHA117068c55b3c15e1213436ba232bbd79d90985b31
SHA2565b01d964ced28c1ff850b4de05a71f386addd815a30c4a9ee210ef90619df58e
SHA5124c4d256d67b6aadea45b1677ab2f0b66bef385fa09127c4681389bdde214b35351b38121d651bf47734147afd4af063e2eb2e6ebf15436ad42f1533c42278fa4
-
Filesize
13KB
MD5fe55e47d1e66304c016d2dbe93836f0d
SHA1da658edd6a5da8bd6b361e2aacca6cb9305a2368
SHA256d526f353df1ad22fb1d00c5d47e40988d4c26c55127da937913d3d41c0828e2e
SHA5129cb97945895db4772688486b710eda8971d84707f7ddf6a7fb55fb33147dced14e07849eb0fd5067466d867796440fc303aa92912790abb2a82430f2f6224a16
-
Filesize
1.7MB
MD57509947901239bf8d1935e6d6b16c5d4
SHA14433b22066cb28526dc90eb9bfae25021e845f6e
SHA256b630be7d9d061254e747fc68fbda8829211241693422db012eadf5284b8e7857
SHA5129f41d86063998353344eddfdd672edc96fa76af8ea81a45c4d99829369dc93a021ebbafd6078ba94edc1fdfefefe51cd1974a5f21b5c9f9b3cbf297574d1d984
-
Filesize
2KB
MD59ad60eb2e118c08f02e79ca43899032d
SHA1f8e9366afd97c1f51c6066edb33c8acb6e014a12
SHA256200a2eabe5dc467a6a90b82d7f7dbefc57d1ce6b635bb4d2a89e27f07ae37884
SHA512e45a40f8bce307d324ad3b26b88e12b77f823748289a9629dbca7c31f4101c0b8597f2b9b5b030cbb94c21415800f8c5dc4eda3de2f7d0b6ac1d4f99be47841a
-
Filesize
8KB
MD50d938da3b9fffe5e7f432aa1ddc4a36b
SHA1723df219d8a2454c1b07417fcc5def18e98b910b
SHA256cdf152a353b5c68ecad6704ee35d265fdb294fbb4d7eab687f67dff94f0ae22c
SHA5128232f8a5b11557afe68c5a889cac554e727981d8c43205f192a06ff7e1e03b8a367b95db3d34831a96989f4e9a655cff15dbad492377fd369aa5e0dcd34d387b
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\Adafruit_SSD1306\is-9S6CK.tmp
Filesize1KB
MD566fb43118340f7cc82583caf93f47415
SHA1865128d22f2f941292b47d3b685b3c5fe10b4439
SHA2561f99f4614772f054a0ee4ce708932dff691c595b81cadc68129544a1c9d8e95a
SHA51257115b1e68968d730ab0c05878cfc2e6692ccbaf98889af843a5b1926455104f8d5ff187404d0ef86be0cfed558570030456b4768f9585c40b7ca43f4a88e416
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\examples\CustomChars\is-K4DSQ.tmp
Filesize1KB
MD511178f695ca2164f9ad4f4abe67645a3
SHA19858388833f1df49050fe00e975690f6a267e5e0
SHA2568cfd27ba18b16e8042a2ebaea8106bf18a86c5a41021ba89add3fedd079f7391
SHA512d84772772952353c1eaa17b04ba566e8715546c6bc4b95a187d866d8cf6190c9d4225ffddc09f0d4e9f6af7da40dc768c4eee57b7f40a9ab064077a8ae90bac4
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\examples\HelloWorld\is-91U37.tmp
Filesize633B
MD5fd5cfbf92deefe33d610b0e4b8260ecc
SHA155a2e72c20ca1dc856f8f1a6c5b8bcb7d762d230
SHA256418229fa3cc93de2a1b6908f6543bd1be5fa9254233d5f5aeec91eeb95b02769
SHA5121edf715cb9938d117cc04ff878c2bd5ab52b68df195bc0c27c0172dc0851bbd3683bd03e20e9f219eb3ffc68828478069c1c4baf4ce4dbba374f74ca5aa91e28
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-A7BNA.tmp
Filesize436B
MD543ff49c742974031958a3cc6c350791f
SHA18f52edd1bd339f155f45fbc59f54d3aca5db2002
SHA2564e69a888af100a9433b80a0240e7591a51165d0e2751385dbb815f7df617ef12
SHA512a4ae8dc0ee4b1284c31e200e87663664be8bb6f17021b4e3ef8a064271f43d34c535d0c1a0cc05d6318d7e9ec599a6719d2f9bb0ad3154c80522aa2e87486fb7
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-M031T.tmp
Filesize85B
MD55e59d4dcd20876e95889dcb79427324d
SHA1a3f62c33c644cd380d667ce9275ea79cfae0e165
SHA256696e65fdb9383f3536110163dd2da87918aa5bfa8e0d46a984926534ce867e30
SHA51228d7a7c221fe95233fdb709d02a71e6bc9a94ccb542904b6975e966ff6ab3ac9182e0e86d1ed9c53d033c442039742b7e95c5da6408d19b3d01c2e85081bbe22
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-R6ACF.tmp
Filesize325B
MD5e86973fb145f7325aff9bc2ef84ae798
SHA178ebe9858c18e93525d7e914917283ec00b79465
SHA256324c69979ab30b1bc2db5352c1b84048baffcc2f5834cd0cda15a3565f4412e1
SHA5127f8039607ee17f75c090e3b336784ef17e3396e44d9231500dc2e575443ce49d3d5641a55af27f506f2ecb3c17b21e29ed771d765a07a1beca11fd6b1ca62bf3
-
C:\Program Files (x86)\SimHub\_Addons\Arduino\ArduinoIDE\arduino-1.6.13\libraries\LiquidCrystal_I2C_PCF8574T\is-TBLVV.tmp
Filesize1KB
MD5f9e7372c40ae2155506ba101320d4113
SHA10e6172ff43bcfa6886c0caa7ffc66b6cd6e307f4
SHA256875e705e1f5b5f651da926147208e6843c3bad313a46f6c0e1141c8e4a61b0b5
SHA512aa35c5a8d3eeaa743af851d23c391f296c0f749fde638625b2648f7fa69ea11dd94940fdc82f57c3c1e68825cc71c595b7312ab0797adfad68a6f1960d7ceb84
-
Filesize
51KB
MD5478c4b58c623ca570eb9e1e6a7145c29
SHA1dc428e934b13e7d1342e49ff272476aebb5cb99d
SHA256881082f48456436133aa31c84e5415f5840964541c0b9a6554229dd5d4e18ed6
SHA51256a7c3952c81a2b73c87b455e3c3269f484bbdae0499c88f549573a2c169c4a9609628227a9954fefa37ade3fe137f12399a74fb15c9406bcc04d047b3b9b279
-
Filesize
64B
MD599b9e5722bd18056e953ef59525f2ff0
SHA1b5ce0cf0eb707fc6c4ab4db9fb95952fcee2cc0d
SHA2567a92a0f8c03cf401c3ffb04f41efe74c573c4817ea3543bd6e91210b07da3cdd
SHA512d498d5a83a0528eff93d8589b4333c578f02070a08865175d4d395c5e082408b159f62373447e0a2fcec5ba16fbf7a7b305ff3a4f8324f5ec2e177562db6302f
-
Filesize
1KB
MD5ac878d0db90351057ad99ff2f242d03b
SHA1b9e2d82a7bbc918f2d7559a1f6bb21522e4a4401
SHA25604173fc3d44de8a0606fca9017be0e60d212492b2ba9a5395d43e957c9d7d463
SHA5128239f5011ccdf9a0deeadb0d9b1e34635c3b43d927769fd2ccc6c2b23b65d86b1a6792ac4e433dad35c102ec4a70fb99f18bac40b86c4b79a6fae5cb3ed08577
-
Filesize
2KB
MD57d61986043b9ef22e030b140a5c001b4
SHA1652d3d481000f18a43af45188ef0026da1263c79
SHA25679cbe99bff2e50148436f69709c034fd715fc94029b1fc57608a236831bba709
SHA512afca534413df82681722a9bfc4c341f5a00900d9b654d06319fcfd5c9becd5f751c5f49fff67d5fa846ea8699ee8b5d34bd78d0c3362317e1d89d5bcfb05c4e0
-
Filesize
34KB
MD5fe06497acaf4f45999925d348c2605f9
SHA1b6a5bf31d55a76b5fa0d70db9969a43edc48b9f7
SHA256b3d1eae7f524fc9ddd48562a4652efd2bcd848e38b03f05e388bcce943e73df2
SHA512ad434615208807905dd2e09a4fbfbd3169dc6b46eaf08a4e849ff12a859a02786d05155403a1637faf15092231067636199cacacb6fb96a0060b96bfb796e161
-
Filesize
40KB
MD549667ff15acd3540fd3110d52e5cf68b
SHA16db97b26aacd9d11bb634e15c13dc23044cfccc0
SHA2560381135dcb79324d86a81d8d591007d03f1f2abe6dd212e0ff40e2bd1a8aa33d
SHA512041c497037504ce1d7c08b4655d7ad876db9f3feaa20a850c5f2722a0165b2d5a83b385a4092f0f442b1b969cb27d65c8e0d35889dea4e0e97db6b8914df47cb
-
Filesize
1KB
MD53e769fc52a7b8ffccc88317776fa6a6f
SHA1537f1124adf64adfb4714e10ba1c0787260059ec
SHA2568a19580dba46dbc7b73a861ab252be427a74416ff956c13ae6c937b793f84d03
SHA512438c0a0704928d511d68f0c7d70f9689802913c677f5b440440cb7a35ae5efc2b6b9ed6afd1194497e5fc847d3aee333672f67ffa46dc811e63b49a99caae241
-
Filesize
7KB
MD521be1ff5e4d1c29e5398eb967749e1b2
SHA16e1cf0fa432d7034074551d989761aebbb5dbb07
SHA256eac19bd29db13ab5f90549a42047cd558bcf3981e7cc93df7a5da02aa95d18eb
SHA51244d94bb1cafbf398213dba7f4c09c34f231a9fa2922d27a3f9d1c529dfe9fac6334511a76817f8f457c1da0a827b228948207949648970fc28f06a106b4d6830
-
Filesize
83KB
MD54673eb80a7724580900aa939b5889335
SHA1ec363e43c6e0f1a736e254fdef55a23733c1ea6a
SHA2562526086c45f4e9080dddb7dcf0dd0a01db6a0b6e691f2395b1de7ff47cd3b652
SHA512cb97d3e322bd793ff58296779b4a4c3c37a9ba2d30cdd0df3939b1b758b2cf8b4702ed42e23342615a3c9260112d595712d47c9a6780f13bba16b192e293702d
-
Filesize
60KB
MD59b02d61491de99607930474f23cff469
SHA16ceb8ce3d19557edf78c1067a24ef72ea84c7355
SHA2568b17c5773a25ef79d29cb9fddc1c7ff184b9456ca9e3a63a1ef70cf073f0d662
SHA51248cd93e96dc2923819d3f58e4c9364a85a488ef888a7017fec45b5a6bed84cb2bd4e9e893268344b532193137bcbd87934386b001771831e88016994e52f64f5
-
Filesize
11KB
MD5268f91e80e72b5883e4df0eda857552c
SHA1aba85dc8798773faa344333313a6015aa5c9ed0b
SHA256263f555e5e77925144f803c2f9a0c175abf080632b0c319e965033a58bc0c195
SHA5126fa1390372b92e738ee057d062e266dbc9aba35303ccd6e5986a924dbb1b708764a19f1611936efa412c667456a8aedf333df27b40f000603ff2d1aa471ad207
-
Filesize
74KB
MD597835e0cf0f85c9336f9040e8bced1bf
SHA1b922553967ce45e5c367547777c8db5f24720423
SHA256013ffc20d8e8fd700d657e9149142d0474773b2d9661edc2746b902b3b1d2b2d
SHA5121eea20d63ec5224b68090e9e85c3879a087a5b62f85b0d08648a6685903a577797cb281edde7f92e86b576e752a2d9cb481e08a5f42a1f7c22780493fb04a5c9
-
Filesize
979KB
MD5246900ce6474718730ecd4f873234cf5
SHA10c84b56c82e4624824154d27926ded1c45f4b331
SHA256981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6
SHA5126a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c
-
Filesize
189KB
MD53b55ff8221bc60b35cf4842a93341b4b
SHA1e4a58b644635774ff6783c33fa843c6260c892b6
SHA256dd16df846b8cc9694732440fd041e5adee7073f5d9e04e9614b0c63fa854ac92
SHA512e949fa4ea404d0a797465d4fdca271d8db2577755a5fa0d7db7bb1e0afaccf35ce927fe8b3588e312d83ded1be524a347df2156b47ebe311b20123cfa77e984b
-
Filesize
280B
MD5dd90c9083c447160787373dc6bbb4730
SHA1148ae592188ad6f9d89422d3392b13db9e146e43
SHA256eb9a80450f85cc0d100f1d9cb1d2a67f5612bf9464901042176fa45a37db41a1
SHA51297bf15872401da155c16ccb1b01023b409d158080d1f3ab796e439d5ebc074eebdea36031d79a7dc2bb2028c79d2fb83a2f3c50a16f47b48478cadfa70298cb6
-
Filesize
115KB
MD5f2b74b56c436f52aa97989fdbd5bce6f
SHA18de70324cca296038d92672d564c292826161652
SHA25694066301a81070dbb59fb8d34dd36c3435f8bb4ff859d2ac67aa4931ab659915
SHA5127d55dd6e6e51a91774d606a23b2403ed2f14d8a0459ad7640fad240500841d7466b52311eb7c4a97ef7f8af20fe81b967f4180ceaf4b650b4138764228c28110
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0ccad0dc-040a-4759-ba32-df3bfa3376e0.tmp
Filesize9KB
MD5f2abe296f9c64f3d0562b67719fc046b
SHA1bf3639918f03348758a4bd0828c1c4e014293a6a
SHA2568ca038595c484e0635680eac3b80b506b7adbd9d89bedb357ec52f48a43cf6fd
SHA512ba9eb991a0e4b750e18b463dd2bfc2560fa3be7687ea5fb6c7fa7006fd6cf1875631c85269a23dbf5f7b296cadd3e506f12ef0612fb85133bab442cdcef81a6c
-
Filesize
649B
MD5c38c457f1081e3c21234d53dc2ecba74
SHA1c136d3f909affe1f258b23690a56ba5b60035d3c
SHA256a1e94314c813341945148951d1f2f89e886980d0e33ed573d0fce3512f17b7b1
SHA5124b0bb83f346150eec3c733f4c39a29eb2a1db1ed7f491e2e435a125158836469bb064b1fe151383b5632c04a1515271f95b5251997a720ce98c3fb21c478c087
-
Filesize
504B
MD50ce2c9be0e6fd29d5c4c963569c3f1cf
SHA1529f458fbcaf3c09314b39875d68b0295fd70381
SHA2560164cdb47d0db38dbcbb713d47e644641d464f689346b278fd4d5c4ff4226582
SHA512577eb52523218b0240c0e24f0127119f2b17bf4be69b9ca2f280ec7e6fce86b9fb5e65bb16be247b5522ba68ca0e297ce81fecbdf5da04e1285945031f84873b
-
Filesize
4KB
MD5f6a70dca8f21c5cd7b655f2fe2e86401
SHA187d68e0a5fb9252f05a1fbc91b850577396a0d5d
SHA2560ffe76b6df522212db3a53bd8d0bfaf34eb140b532d4b9de53db9d0f5514a040
SHA5122c01f6a2fcd28a9cf96165c7d9e98e3f253286be6b5c4e67cd35906d4811e0f5e8ef90d251b9a0c626bb4697d527fe7df9af998aa16520d7381f8351b2278cf3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD50605af82782d25183a2ced3a1a8d3d5b
SHA1e63702a3768c393c966a4120298c20df39bb2e0f
SHA25660482ffbea25dd80b074cb10f2a500ebd431b017ebe2165b6d1c327d17fce406
SHA5127d39b54cff7dff821140128d30ca0dbcd20f2d4f587972114ec5777c03b134a0f8c016430be46d99edae72134da1791118e58698581eaf4565afb731aada27b9
-
Filesize
9KB
MD5a2459d9ca499dc74af241b0b569fa516
SHA1bc2eb2e0d79657070d286f5cab06220ba52e57b3
SHA256ff5e6b2b9d82c36eb3ee33d8168b52b86414d0c07d2ce2aaad9d6ec3a97f675e
SHA512f2d97753e0fd2de0a625444143db3aca1b7b0f5dddff49afa32cd2943f6ba2b1716c72efb82af241d62eca5f2e3822f4b00c7bae368791bac607b8494f61023b
-
Filesize
9KB
MD5b33f47cd20f4813c7cefe03cc9940f9b
SHA1d27acd08e3a532ee6a89f9a8fd3dd9b340694217
SHA256f7099fa6e9fc0d329d10aa6c4cb02f71d63265729d199ada45fd2321bbd9d478
SHA5123503ebd0ba28d527a393f3b7508af175815b1d7ad3ff1fb90fb2ea50301021952e7048935f98a158c05e06050afb59094c5e69b47a85f40fba6c46627385a1f9
-
Filesize
9KB
MD5aa7d766cffd8d9a1296318825dd7a927
SHA120407db59330fabfa394d5d75e4dee8b10d8c40b
SHA256b56f49db6f786399eb9f6e252f4f9be99ede137c1c9ff0edbffd1c11ef7fe7d0
SHA51258aea5e38399036bc64255818df5169b2a87c9fac76dfdf7e6e2fb394ff5712ca3f22f4ff437bbd43ea38abbb91df2c2f743a164625bc8efa0c2337bf32534a4
-
Filesize
9KB
MD5d36af04b3dbe119daecfe905dc84c4eb
SHA14c6b5d7985ce71e44b4b81ecdec1f23abe860979
SHA25660894df4a95299792984a3344080929c2e7830b0e17e1a605cbaaf057de4da45
SHA512994994a18eb352b83abf920f4134ff3af27d43e977c925dd2decf0acc58f37234ac2e44b2a0deba0c00fbcdd6eb5abd8232ad3a6543ff676bdd75fe4066d5bee
-
Filesize
9KB
MD5f6f50f01aed15b6ef2637cf3a27d1353
SHA1426de079a1f165d46134dcf7f36ea44c0aa3aaee
SHA2567244ca9a5364174bada2acaae71a4048e8dafdddab9f75ebf2f9267e821e95a7
SHA512710d5df174849a4e938ae0ec2a5e6168d8494b5c08d6fc8f221211b24c814143265f3f2bc2424b3380fc01e58607fa7ee777a25701d4103c1e9867522c667acf
-
Filesize
9KB
MD598a1b6121b76294b1c5945dc5997ac27
SHA150a7cdca4936e7c1b151f3698076d8c18d69b9a2
SHA256600c4fadf54c69cb1a6297d5faa01a5eef9c3a6db632245919cc82ca0d171e36
SHA512c44a2bbd05a82711c60c32d65153650cb725fb700081ca6ba40b3537fbc8733839f3843923bac755347aa533a2c92971df5c6fe05433b97dd4cafb7e39633908
-
Filesize
9KB
MD58964f5ed805fed87e9a16a1c43ddacc4
SHA1272ab1939917f1fa9d54a10698c9bd7239fc651d
SHA256884f119ecd0f38832d220245a25f361b4f1ae6b3192328a0de60ff9dbad7e269
SHA51215d15c4801a267332964ad7c76908485f1281b06a4322a876f7f329396be9577348c65d9e7e8b073326e1418c71069d4d7eaaedb668dd3a875b0df1a4af04338
-
Filesize
9KB
MD5ddbe66f5e9aa3262f3a25a79cad22e79
SHA119f361d3b9db2cf0b70146dc1ca09bcb2d475a68
SHA256c6b7b3e05385a513ff671762f8e4794f5ad1b9e598aa8f9d873d3124c5c08089
SHA512cc8d2dfe4fa7ca69d36cda81484442c823f0b0c850babfe7fd2e1de4a519acd42543eb2e88723d430c49e2cc6c108e784a75e3e791f04c3bf1dcba95e1c90b62
-
Filesize
9KB
MD5329ebf68deb7eec4b1ad25eb97bfa25e
SHA102dcb0982fc03716d8b5ca2645a09ceb10689449
SHA25672ae8bfd389c7cf6b4fb41a797851fbdb457802d9e669f386dcd1f026dc908e3
SHA5125d4a14d050193f7098e31590ce42ce4470f3ee015f55b56edbf0f6e4c5483ef794f0af417fc5f2d856016ca72e354d07327ea22c7ff4cd6ebfa6f6dfa72356e0
-
Filesize
9KB
MD57f4213083a495669497b20d1b53678b6
SHA17ebabf9bfeafc81e18aed9cb26095acdd4bbfc7c
SHA256baa14ed3eef2cd87de2552a04c231bcf725fb2e88d3f311a66d411be20d6fe72
SHA512ccbfb158665947f18664dfd557ddec58a2ea317b94aef7971e64c4878043ac9100e5b4866ead8b155c57716dcfb91eb41615c9c802423a67ffeba50ef82c7dfa
-
Filesize
9KB
MD57d1e948c8b23aaa3b5e6190bcdbdf3b4
SHA1bcb9d7ca776e9a8704d0dca8fd5c5d8d2f076106
SHA2568ad8e37800582180a852ae1c24edc4bb356397fd42bed90472757a560895aef4
SHA512685b198f22eabefe224db64300367c88e414e2b4b048be8cb19b4a795d3e2aafa7574fe1065e2635cd0eaa286d04f6bbc84528ebb37257c8d632585b4401ec32
-
Filesize
9KB
MD5a300de101a1a3095b50003aeda1c4aed
SHA1bd44a590f1420be24fd6df0adb276a6b114265c1
SHA256e558bf49f43ca2d3b32c30d0e0009f7dcf31aafb8b1a954c274aab5b8dafd063
SHA5128a41a4037f4c9fdf4d6433efbc94d22e340d8d882f8e5a3236526a2cef599d6fa8e007a57b51d2d254be3b1d4c3c7cb2a632bfcea3129fba705ddd877488f22e
-
Filesize
9KB
MD537188846cd4d7bd0be8b763eaf350987
SHA1802ef494145c6545654a1e1c8277199c58bdcb0a
SHA25638c1cb0b05eb7bb2fd9307561e13c42b6b4f75f0d8ee489cdbe243fc1aa8108a
SHA51226e29d4b276d15539f66f51e1f1f81f84f7ee5638b61ebe7c0e864ad57b1bad2e852b88736d4ce95f077a09765f1423c9c2d594273372150cb28292d7aa9411a
-
Filesize
9KB
MD56acc7d750bb985cfe0731cdb093fb92a
SHA11926808d66fc812bcaac1f36437630edbfbc3fff
SHA25663f129164e2e6c632b5411b4e60f5d6c90e2ab4cccf90596a8d3358ba64d99e2
SHA512da99ec40c6ddcafcdd3a1466658e8358d14eb3574e23fb9a5af53543a0f2f6ffa37a9fdd5ee948616559ce7a9dcd72d91290636fcd1233f72b8db5e2799e281c
-
Filesize
9KB
MD5e2f590b6242435f0386a00282dcc7a7e
SHA125c19c9849552b24c08ed62e4c2264c621f8f7e7
SHA25677e35f06c4bb8dd9232a2229f9385889cb8b01024e9e52bee12676ab6d8410fc
SHA5121792cda30c1e859e759a2199a45c82fc62f9cc563c765aa40ace9388aea2ae4e8222e2fc0acd1bbef21e58ecd60746ef7b7b029ca3917039cfb04249103f7848
-
Filesize
9KB
MD51c6d191b86255cc6fb39c17c7b91c40c
SHA107d5e10b2d5fd320fcd5f8076fc6128fdb9a3984
SHA25608e8b7759f94b752af63e1c0eb9367839beed271067c41493d5c0ed892d11034
SHA5125550a6c102045bedcf72a3f00d4b4dfe42e3301a07016e39f81a75b89f69709c9a86cac32871a4c308ea55405adf76a8111d20b4d1066b12d2e0fea8ef1d1c0b
-
Filesize
9KB
MD503c1340ea037b4df8692160b8e912743
SHA186c977ba5f93a41cc76e8f990cf42bb231ecf185
SHA256f71ad81fa0ed3582473dc2f7c9bc1bc08c7debbedfb515b5930e295dd33009e6
SHA5129ea92cf277169bc7d66435c57b29a2b7a80120ad3063cb4493ba581e8962b908a549cf6e6b15bfa99b781729aff0d008063bb2eca96d79d6bed48f8cbfb86365
-
Filesize
9KB
MD5228e6491f4915f85a3e03a4befd6375a
SHA17cfbc1eff34f2e3baee7d571f2a7e6816d53da1f
SHA256c5d5cef8414e0b5904c246cca22ecb299af046a86ceedcc031704fbcc22f85bc
SHA512a4d6778cb426555f016df03bc01d11cd18c519eddc7715c4da285646a3eeba0df5042f427e27d9867625bcf0c6e8661c9dccdd4d62e66571d2695344d0e0c887
-
Filesize
9KB
MD58fd40bd933a56c1de505740aab6acd7c
SHA1758eacbfdcbd167dc4c614868d00d48e81e48ac8
SHA256b4e286d33b76d397825ba3c4442c1be90f9a0ef30bc45f9a5cf0bf6f5e85e353
SHA51229b2d2f29c6245ccbd2b956190aa345ffef37c9445dfeb1be24f96ccd56cac447a823d025c6e236521fc3f71d7e9c2757f3e76c8f6748320fb1067bad72c0fa1
-
Filesize
9KB
MD505025cfc3c98573a1e4c8fd0da21cf50
SHA148afa2addaa2eae0d8b55b4521fd59950b70e55a
SHA256e7fe4f8ffc642c42ee6bc51d34a314967ea5074be0fa9d2e292534978a1cc1dd
SHA512dc5aa5a0c5e75230a984811b138ed6ffd9ac9d3f21e2eb169bf71e8297866d14d98fba1ad6b836e75e037a859456c748d8cb9f09273a121b9c781c4f4fd1ce58
-
Filesize
9KB
MD564613396a9786ecb7028929b1f64089b
SHA13572f4a1c51860952c3b26ef4697e536fcf62252
SHA256c2ecfbb6f8837880893e050532535bd73d42cbbf1331c081e2b835ff3719148e
SHA51205373db68226aa05689de8d0b85d6434014f8af3a5c4add038988b32a492a58f2aff524ea013de0ea603383c5d169b4dc55bf9e367954fc756276805e6d661f6
-
Filesize
77KB
MD578eefdc393368fc7447ee22b8880ec37
SHA1a420cfa39d9638264a489366396cefed66640da3
SHA2562011d4bb3e2f16c2724250e3726632e7d30961ca29b838c552c0f3e724379075
SHA51240fec4eb98bc294ddc5441d3ea708f23b2ec4b11e19c0f696511ea0b92ec1db67e2ddc178bbb75f8e6320bb162541319cabf72503d46c81a7907389cec51d59f
-
Filesize
77KB
MD588467076d2a073db61aeaaf975ba0f2a
SHA18f19684b18853f45870d436a79a62ddf683d9f16
SHA256993a6b01d897692e76186f79e658451d3dce07463cadea6c4d7a78a85370cbab
SHA5123457aae61150a9e436836c3ea9a6e16c511a8e7b12726a1e0e26c03047c316c2d097dad6c554976e01cf5ed618e17601c1ff295e53c5405bf607c392eb935dfc
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\0d0d316f-cee7-4087-ac1c-7e96f763efd1\acbef2cf-db27-4866-9d94-d4be3a95eeae.ttf
Filesize111KB
MD577d353744697c77955f9bacc7f3ed90a
SHA1573229cbc4622190a38adff3d906e0c1466802bd
SHA2568b32bc539ca95dda2d2206a43234b5f3b0fe964bd25966c860bc80ec7f06d702
SHA512a4252208b0cb258f249b6826a1ed920b8cb67ecc57da60333812f3515e5b351c739ce5640e9715d9725e4946693306dad6ba1cab40f7bdbe006b113edd5f41bc
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\0f5dd4c4-2e7d-4487-8ebf-af362a4b9043\cb20d060-7cdb-4b53-856f-2bf9e4f2634a.ttf
Filesize266KB
MD502c135aac8af7c241f3896eff6ed160a
SHA1aa5b0f0b77345a77654c2d233977c108cf771549
SHA2563f670a1a3208af46df3ca7a9dfeda42533d0e6f196e105fd0dbe8a4443add78c
SHA512e29bbe00c2ba4d807f6df889451246b1d73e5baed99f99c4e1cffbfd487da099f359f286e938e753ded0cb30bab54ecff12f082cd048c025731dbe95d19c0d4c
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\3837d0dc-56c1-4da8-a6fc-ccee7f11543f\3f005824-717a-4f9d-b4f0-0331840b389d.ttf
Filesize45KB
MD57b53aa64ae4562072fbd42771c6f6e1b
SHA16869bc094dbac8bb82ce388c47f8ff6ef0f4f979
SHA256b1085806ce6a82c567e7122cee80f630e9c7025d80d17be20a890006463a7c28
SHA512a41dc9b31e8efb784b96a2bd6afa3eb8fff9ded93688a34ad2d6653766f7dc4e959a75fa26f03a44acb3dacb3698b2882549aef9b5e08b8e56522f478e00ab8e
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\3cbb2114-039f-494a-a721-52b209eaa93f\44c016e2-2183-4593-9b70-cfc134befe47.ttf
Filesize51KB
MD59ecb31af0cb8c0c1815495dae3b67d88
SHA1522f758c2d2841c06928db95aaf7e320a678d63e
SHA2562a9b34228ba435e5a3497f6258eb31d1d326466c0fa409ee241dc8ef2b77fdf1
SHA512ac2f332f19f6465738f07ec92907530556524c229c3eabed748031c9cefbe87f814723fb194fc6db6b629ec95c0088ead60e2e01af69bc68df566acfaf7490c3
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\48bfd1e4-f175-410e-a7c8-a248ae983023\eef192a8-6b1a-4468-b22a-8631a660ad50.ttf
Filesize264KB
MD55edcfe29f3f9782b78dd30bb8706bdd9
SHA1f768575744ec715968a7b8063eb7b0f30a8ef5cf
SHA2564c667acffef9076dff0be0ef44343ff5472e0513e686719f5fef94f75063a2cc
SHA512718263b1178d9e54e3923a2508a6f3da1718d9ee3840a221304398ffbd41e0a28b851ececb4aa22947cbbc34086eefb3b71aac3ed9428c3cdeffb71e8983a72a
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\56f769dc-d474-4d5b-9373-f78ad626a7b0\b4b8870f-7e5f-4b7a-802c-99aa075f2988.ttf
Filesize27KB
MD5ad6797745417d25f592fe6822250da6d
SHA198f44505007d416f2d8c29a535255ec25ef1e339
SHA25620d16d403a9e82c8340dc3a5c4c061ca2121b77a598d92fc30274eeb324ca300
SHA51256d10cfe617bc9a7f5c4a68b9b63b642fe6fbd9151302d5400001c390090ce0df2bef237214d0ab87da5d6762c6c2d008731bc2fc27241b8f3b44cd2576c148b
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\58f22216-d32f-4b4d-af6a-879e653ddf86\6ba246a3-2b1a-467b-b8aa-e35c820867aa.ttf
Filesize118KB
MD544dfe8cc676882243911a3197a50169e
SHA1c330d59f3e64e07a2571c2ba4f4109b20a168f69
SHA25614f7de6b616950395062902eb8f70f01c0a901223db5d40f2a05728ac4a830f6
SHA5126c07f27f63408932138d5d5aa048793371f28eef16521dda4180bfbf33a5e69860b87e01c24ce53c85e66f5d07075b25ac1ff33aa5709486a0921bc19aea9a58
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\5eeefe7a-700b-4db5-92d5-371825c36306\9f60025f-8ed9-4758-91c5-5b959e9ef9d3.ttf
Filesize28KB
MD5cef847475ff255370d753d20d3ea4d1e
SHA1c22959ed22e32fe86567280eba546f943d0e7319
SHA2564427dc087901ebff7a5c9f61ba5847f88f40edd7ba4b970842203f8ecd06bacf
SHA512347a64335942bdc75e5ef37a9806428fd55bcf111a755084443f1808684e643b78e8f3a374ba4bad372518df83c01d3b454ea03e25ac7a088ff56b97a3b07345
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\5f3817b2-f330-4650-949c-7076ed6dc8a3\6f6a29b0-ebde-474e-b004-dd08a7f59fed.ttf
Filesize39KB
MD5b52fa10b9cf552b711519e8921300be3
SHA115d817b23101379a7fac1fc1eb384aff70e3ac2b
SHA25642056e331bc3f278b5e2432e67d926a994020e417c3e662dab1e79279fa83814
SHA512f1274182b627b439976f4f6ac402946892e23aaa63f47206d5ccf0663dc6319844cf607e87734b3d78439a42a62ccc170092710949213b163aea9645a250c00a
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\6e01c984-9058-4098-a5e6-8160eb055012\cbb48137-bb77-4347-afa3-c1d65fdc5f49.ttf
Filesize290KB
MD529c52aa76288f69b2e5b261fc773220f
SHA1bf6e9238e31f11a6868df02581164d021c5a414d
SHA256db4a414ad40af8afa5da823fbcbd9ec5ffb4d4b6e07bae0a45b0f811cfd4b30d
SHA5126b16714724ae04fcdc6b29bc2983a6cbd10517fcf57b9be8ec8cf11ba90e244829e78abb5a859aba68f9918f12ac2fc4af5b22c2fc9eed9c3968844020965463
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\79757ed6-bdcf-4252-9a6b-edb49935db6a\45f43a5e-5ca6-4503-a88b-b3a8477a00d1.ttf
Filesize64KB
MD53155e42ebe064c301787cb8875e28f2d
SHA1ae36d539d2013fa20b751458514cf89436fd80b7
SHA25693727b4f2a3c87e89b3e4e043cb11e2976905eb33e522162414d0c3c1ad39271
SHA512ed9d2aac65b2771642f807cf8a1c01af522eea102477e6f2d356f51bc187129b55a2f7d94066ebc3b67ec7eaa8b5860223ee13b5308dca18cba24fee345da696
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\7b1363aa-70fe-444e-8d34-c0d0d62d0f03\59494d7e-d0fa-4045-86b6-baadd0ccc450.ttf
Filesize17KB
MD57c9c49432c13c7d923f6f80de0624fd0
SHA19eb5a4c9cd719d7d3b9c1f99359183bfef5936da
SHA2562e06d71832744ffc5b3ea7420bc9991b2bd05161aaa9260f79367cae0d4f1594
SHA51219bff41d61849546b41e83df9619e42d753a8dcc28e6280dee041fddde443479a80a0fddd5b45d4128fb753acc4e7eab0189dda0df9950e2619fe7f1e4dad060
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\7dfe9c0d-9f0b-4e87-9e5a-fe3275234976\3f6f2ba2-b782-49f6-92ac-a05ba6c4cdb3.ttf
Filesize61KB
MD584103952c177a071a7ebe04b6c5a9ae8
SHA1ceaf432365a8f1d2b0e5c5de5d7e95c9331978b6
SHA2567faa8a929338ea09c0bcde975a4d6ff4aa054a0283edd171daf5801e68114bc9
SHA5121bf06e5a5c700821eafd71c89512f543f078f9274ba5f47b9d3ce545f8d43fc782eafbd0e09bab2b9a7a4cd764f1a7f5b4815ffc518cd7d8ffaac31b259e5f30
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\8b125d23-1a74-4680-93e4-41a9b022afac\bd3992c3-30e5-4a79-96b2-7c886cf4934e.ttf
Filesize69KB
MD58c4557add4d929e7a351088df8a55cc7
SHA1b432b1f39556bc99e5780a7291eb4133c02a1bad
SHA2569d1e28a8f1a96d0447054c2131c77b84e5d483bb80229d41a2f2e11dfb166950
SHA5124decfc74a2f136c7970af388c22bee418380685f515cb97c9f55371b9a211e51ba06488017853965648ab1a91cc47cfd285d0187c2ca879a6824f274944f7f3b
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\92db7465-e55a-4291-9635-d61572b93d80\340b9f90-7947-43be-af91-3bfd6a9bd2fc.ttf
Filesize31KB
MD542a05d97a6fb68fc2ae25cf8a1b1d333
SHA1da8ae603abdab9e13c4f72b2daa27632950b542f
SHA256495596c8a66713547ef4ee5a38b48602dd067a8a11b4a5c2eb16b1f5adb5f199
SHA512aacd4eed1864fbd35962d45d4b3042cd9d97658f2bc100cacb51161fc5c43498afb4962e688c736844d55ffc5da67593f33e048de9ff4b9b8311933806082bd3
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\96d060a3-215d-4ef7-b806-8e20953837fc\77ae25c6-bf43-4684-b6f2-5e1a12ab974f.ttf
Filesize33KB
MD5de11a4d78df388ff284c18af2af37546
SHA183941586e45bcd2043a2f25d16a8dd42d2e8a3ba
SHA25649ffe973cadfdc4600e4544bf123cc0ae5059aa9d621624ae5c2615bcb443545
SHA512819fc1b567592649613e41100b65227ca76c83e7add681f3d2067271227a5f077ab9f5fa36b9843495e1884e079295894277806c70bfc1731f2be91b680c0325
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\9c95241a-d3d9-48b8-bef4-93dda39ebd14\b5592238-3c2b-42cf-8c96-24da43d5bd8c.ttf
Filesize34KB
MD58ee7571938437ed27afafad07165181f
SHA1bf8c6f7bb94395994adc4f199d23ebaa6fb96204
SHA2567443c9cf76d2a57063ec2003fae4c7b6e04132e730e0e3da83100e6172843fcd
SHA51289c5bf5476265687b24ea765bc0cbc3619abc34faa613de820db8c465f7e9733a96a85a6e731d91d6f0ee28eb22c382c812276db5aaac6bff289287ac1eff57b
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\9f38fca9-b825-4ec7-9f06-b61b7f217e66\6ff23950-8835-40a8-8ca5-529bb0b1e773.ttf
Filesize37KB
MD539302eb7cd23a9a3a594732d3a678007
SHA1f66343274ccb0568d5e27771b96f04a66e8fb9f9
SHA256df1eaef5cde662755907aa0b576bbbc8675173b5ca7b3976fee4d31ea505baf2
SHA51236151bbcf30bf327d08a3801db1908b542d2550f557bb0f6fda4d4a210fc68fbc0b276caad847d17920efac3bab34b89ea4de17da1007a733cca7316d3ebdc59
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\ae52b120-7fea-4e4c-aeb5-43720d0259fb\7d188649-6218-4b52-a74a-eb3024989fa8.ttf
Filesize40KB
MD5d8c764234801aa57ad44a96b95af8bed
SHA1b7a0181a8849b275051a336b8a13c3bc9030e341
SHA25690f0a053d61ba5042e1c2db00e49584bc8b0d0b3e07fb1609c391b541b0ab4fa
SHA51216cf8d2770500026a6d6bbabfee38de797a18204f601e1ea7ad88016b2a3abdfc80b625e367e8315b3f3a80b0c7204ac89a032d849f3da8178596d7521c929d2
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\bf0fc4ea-f641-40d9-977e-80bd3d51bd77\b8103d39-9ea4-4cdf-9d4a-68eafca3a0ef.ttf
Filesize37KB
MD57509ab665b2c6360611f851fad6afd48
SHA168d94436c8deea3f73e0e018b1ca28e1d6f01f39
SHA25692039c7a750c5fabe3242c7bc1e3b9eb2f7bad724775cd351ef8fd0fd3fd0ed8
SHA512581b828f8b10865826f42f6c4eaf3975f087d0603380a1fa7f65a22a7e2677c9e051c06dd03b13af063f32474267b14aa32332ca2015e59a6da6a2df11f701da
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\bf25d151-89f8-4839-9c94-ba91f64591d5\5f67bb38-c22f-4e48-b1f1-c5104635c4f2.ttf
Filesize71KB
MD5a711fa8102b7282e2e93f924a25ce86b
SHA108ef455104f16e03c39a7ee8cafb4b7f6729bcb7
SHA25609c9c0e13ed67bf202a61057afb0b6e4feb4241e74561624a2ed6cf03307ec3c
SHA5128c602f05e5420e0224f518a1259ff514aa069018ebb7147a1c6c27e39c7a835e787f3dd67ee6510d6cdfa202165c37118c7db09a4b20421fc20a081b0f8c0135
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\ca4098b1-40a2-4b32-9a03-d40517c80a54\514c66ff-ded2-4621-9ebb-744d8ee1defe.ttf
Filesize77KB
MD55a7db2db0a7c1a9f98bfad78893257cd
SHA1b0329dcac31885a7633eab02d89c1b3e0ba58bff
SHA2566be000528ea486a64e67b03de1a84593ec69d7c70d43e3db4ab042ea30ea8990
SHA51292af87258b50d9248c3e64a6a2eb37257ed56a850f4261cb98c3ea42c28a819977fc763e395c95e92893aad2a037ac1e1501ace7c8e344b9b12eafbfafaab0d6
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\db6b3c8c-6c31-4e4e-92e3-87c6999a7ae0\82e4368a-d168-4de4-8c70-f1377e67163d.ttf
Filesize117KB
MD57f690e503a254e0b8349aec0177e07aa
SHA1127f241871a9fe42cd8d073a0835410f3824d57c
SHA2567ae714b63c2c8b940bdd211a0cc678f01168a34eea8aa13c0df25364f29238a7
SHA512329b4fcd0cbb804324a2a0e41542b64949208cffb18d38af50a7ccbaa007c0baf2b241a8077b4db0f6e97385e65ada7d73f6d06a5e55411d549b5a3bf29cd641
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\e2f978ef-82fc-4a84-a461-36da27d5d0f9\75ae31ce-2594-4a6b-9786-d65de9ec4ee6.ttf
Filesize54KB
MD54148fdcc9eb55bd93fdd7147d5bcc6cd
SHA1a1db3ca763963dddd80ae19af62e291edc8e27e6
SHA25659e3f56fc2b5c1fbb333e1fbd72ae178f0dabebf5b6a0bf365afd63d1af992f7
SHA5123db6ec07a71d411c7c531f6c7b163ca9a7541152967159f6e5a416a2d05f6e043b37ef8797cb7e43ec160f0b4464f3531fbfff5a29ffd12a7697f044b5f02dd9
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\ec28454c-2d5d-48a1-b604-4f41506a35ef\d1156c29-38e9-40c9-a1b3-37d0e32aa0ef.ttf
Filesize301KB
MD50dcbd50fdf86dbef65bfd736ef73b15b
SHA1e2e700abfd181dc96299e4ee4b2cad46ccef85e6
SHA25664909b6318408f62f92e3e1d5c54a568b18251d292981d3e318250967052a095
SHA512ad2b0968ca4cd47c1dab5783fe927b15cdce4ea1cf49304b4ed5ef63c1f220a77f5c91d8e6ee97524aa63893e0772082ddd46572b40785a87d470b1e6bc0a4bd
-
C:\Users\Admin\AppData\Local\SimHub\FontsAnalyzer\eec6df24-b15a-42df-a14e-9dec4ee01992\e6aaaa77-812a-48f9-b354-9f6016b3aefa.ttf
Filesize55KB
MD596c8f6ac247a60bc4104d3bca8d913b9
SHA1903776d959288b5f24adecd3a4d8fc3257176df4
SHA2567a8bbbccf4da0103fb3ecca9e252627205309b628d7d606f19d9cbc49b9033fd
SHA5125187f6b85d6306ad4d8897ca865a478e3719d942e190eebae9fe2467d1476d43f0046ee48310db44ed6f2c517676e49c7421b66adcd58c62dda0c21d1e454694
-
Filesize
17KB
MD55c6bf314ff8888ee97a6737cac2a80bf
SHA19dd70e3aa0e9207c9e257ec1f5dacfb1ad9f4608
SHA256223ba1df8e69bfa8c270960dd6e764d5d8a6646ce3f3eb1ab35043873b0663fe
SHA5120ac66734400ef10ec6a22862506b1d8be4e59337f99a19c46cd2a864681f38ba6757748ab62c582bba4bee71f9e7abb684fdd03fd520defda045015483be02a4
-
Filesize
3.1MB
MD5133b8ce9c332a293fa76c99395532bc2
SHA19f7b607b164f4ebae55cc00d70b2982d633d4a9b
SHA256b398b5700ffbfc124f28c8001c63510e47308bf777c780fa3940dd639c5f50fb
SHA512a29d4a6f1bdada70304c8d94acec2337d3567c885544eefd4c837adab79df83f32e04f9360610575e8a7db5b0fdd4f3c4e0a0e2318f12ddf05713fb0bc168bb1
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
117KB
MD5a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e
-
C:\Users\Admin\AppData\Local\Temp\{25a63da9-268c-b741-9263-cd8ee98022cb}\amd64\WdfCoInstaller01011.dll
Filesize1.7MB
MD5d10864c1730172780c2d4be633b9220a
SHA1b85d02ba0e8de4aeded1a2f5679505cd403bd201
SHA256f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2
SHA512c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040
-
Filesize
4KB
MD52dc6754a7268c2705ec5988ba972ada6
SHA1767ff29813125dcb74415fad10948131892182e5
SHA2565c98d8487dd4fc565421d36eea1bac2a006ed868f9d23f44f760c20860f5d8d9
SHA5127c694bdd4447b31cc7166e88302ebf45a11c951177250752939c12669061661e8fd1c63d0f50ad34110a1de80bb95a2a71f359e9576abd9bb21b7fc57e5300c8
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
126KB
MD5d7bf29763354eda154aad637017b5483
SHA1dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA2567f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA5121c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c
-
Filesize
4KB
MD5ae875fdfdd12d9cc7382e4f46ad9c547
SHA1597cb06afa8752880760fd0bc138e8ca175467ce
SHA256c6bf85913c0e53c9713f20c520b3c99d3447a08bf7cfd1f1f6a7aa1cfca03c1f
SHA5126c9bc4fc1775ca508b805e0cbdc5ebf070abd384203b82875b9bdd0a8b3901129d21af1f4659fc3c16bd77f5366665f9af057e6969739a1b6fae357bb4376a88
-
Filesize
2KB
MD5fbfcbc4dacc566a3c426f43ce10907b6
SHA163c45f9a771161740e100faf710f30eed017d723
SHA25670400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e
-
Filesize
5KB
MD50056f10a42638ea8b4befc614741ddd6
SHA161d488cfbea063e028a947cb1610ee372d873c9f
SHA2566b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87
SHA5125764ec92f65acc4ebe4de1e2b58b8817e81e0a6bc2f6e451317347e28d66e1e6a3773d7f18be067bbb2cb52ef1fa267754ad2bf2529286cf53730a03409d398e
-
Filesize
180KB
MD541d7231c971401af43de5e4f16974d04
SHA1b92336facfc5c7311ce18e11a68548acd3ef91f0
SHA256cb7e1fbe83913dab01fae8cb0cc7a49a4ade23546afbf7ddcc517a0ca97b5806
SHA512b504eaddf4d95db00169c61a9293d195e8bb656e26b36eb0264bd0fc589707c7ace684e0f4941c8f10438969cb3598e1d8dae1a6b74537186a8e34fa028bc011
-
Filesize
149KB
MD5824b6d3e0cd41882376cb9a6dfd25579
SHA1cb785069ca5ccdb9ae6d535cd8aac6f079c9d4b0
SHA25647c6604a31d6b6bdb9f26a6273a368e4fe7a2ff6cdcb13401a9ce507c8d58885
SHA512237491e6c9660f99b8d83adf2f77805d7ad6b542ce1206c14a0dd9121eee692cb5f83c5152e7446c86d6bcc1694677ae6939be3ad9b0be604e082cc714516493
-
Filesize
2KB
MD5ce5c0749d4a63ed86abbe1b06ea0faad
SHA115a9af72241c559df3e661cde064b907e1c8b72f
SHA25680e5f986c68325341371c1ea7e20291166983c14a996319321056a1a17a447d9
SHA512329b5ab70d0826e3a795b2dd79f0074df8f491a6ba832d77c642e3bd5d5dab1da2f7fd2211a6eec235bad91078941bea584230f29001ed635edb596d11167e04
-
Filesize
2KB
MD527aba4488d6e0ba6c5f6219d4c861aeb
SHA17780cad1ed9538c940252787075f9e84c8cf0782
SHA2563ebd6a327e5ac23f5a00063684d902787376ed197c26aadfd368493ec7a6287e
SHA512c1ef5b808dd2a956dbbc9b732b52351b08bbd8025ae279735fdd4e382d5d9de0475aa4ded3c6d211634cab889c3d6b78daef3c5f47194bb218b1e1fbb8313719
-
Filesize
127B
MD5cead048a81341e7f91c31f96a82e98e3
SHA132f24dda3c3774957c623df11c1237c36ded44fd
SHA25607956deed8284ce2dc1ff98f4a0fc3776df4b2299f53fac42962fe6f8de39836
SHA51234c2887a34a65befe377822c93c662f26ace734b74628c77334d019f22633ecde948ceba29dad5d2b38685bfd90bbdc9817887f1f5a7bd4d3d68fbde38611a7a
-
Filesize
127B
MD5b1247f4b88d54073cf6890171d98ba17
SHA14836f5b8aed470b675b90b161bf238248bb26f02
SHA256a9f72eea0a53999ac1e062d934bafc601a7a1b9a00ecedc9efa54713d79aaf37
SHA5122924fac567a8d929f4f27f79ce8d773c9108d8ea127f7a1de4cc445e1aa4ef602e5d438943c47a4011d45f9ad99073e01c99eb441658171e598b5816b68cbbd7
-
Filesize
634KB
MD52389d29f633df11642dff1bf5f21eb35
SHA1ce85460fd7cde25528142f4cdca4e6013bb4b1e8
SHA256ab91fbaab09a94839ba839275338ac42fe2661781d371e517f9b2e4866e2cc55
SHA51259d607112566d13d15a8de8e18be204e8bf0d2010310ebc9c8589ceb42fb8fce7800a6e58f30ffb92d4c1b3e0d17c1a2076a478de753e5334971465c52f8eeed
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2