Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 16:27
Static task
static1
Behavioral task
behavioral1
Sample
efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
efc1b784fd5c5534af59f28984e7e890
-
SHA1
7bb2d5037426d775e7cc8668671189eabd452a7a
-
SHA256
4eee27cda6df1c3674647b3830726a2742c27a81e0e56dc96c3b65df35aa319d
-
SHA512
964305d8f127d32ac65bf891845da7d3783fe06d1572af7dce3f600943958c765a91414f1bcd5dc4885ac5bf46fcf76b5278d2c0b84fcf7a77fe70e3b21df908
-
SSDEEP
12288:v2G+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:evMdIuwe3zfIe7xmvH/
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 1388 alg.exe 2488 aspnet_state.exe 2548 mscorsvw.exe 2580 mscorsvw.exe 680 mscorsvw.exe 1848 mscorsvw.exe 560 ehRecvr.exe 2304 ehsched.exe 1044 elevation_service.exe 1708 IEEtwCollector.exe 1028 GROOVE.EXE 1760 dllhost.exe 2056 maintenanceservice.exe 880 msdtc.exe 2088 msiexec.exe 2520 OSE.EXE 2448 OSPPSVC.EXE 2408 mscorsvw.exe 1340 perfhost.exe 1792 locator.exe 2332 snmptrap.exe 1820 vds.exe 1728 vssvc.exe 684 mscorsvw.exe 936 wbengine.exe 2848 mscorsvw.exe 2084 WmiApSrv.exe 1668 wmpnetwk.exe 1636 SearchIndexer.exe 1732 mscorsvw.exe 2024 mscorsvw.exe 2460 mscorsvw.exe 2596 mscorsvw.exe 2540 mscorsvw.exe 2568 mscorsvw.exe 1016 mscorsvw.exe 1980 mscorsvw.exe 2232 mscorsvw.exe 2496 mscorsvw.exe 900 mscorsvw.exe 1508 mscorsvw.exe 2064 mscorsvw.exe 1484 mscorsvw.exe 744 mscorsvw.exe 2696 mscorsvw.exe 2676 mscorsvw.exe 1972 mscorsvw.exe 2472 mscorsvw.exe 2860 mscorsvw.exe 1456 mscorsvw.exe 1780 mscorsvw.exe 1432 mscorsvw.exe 2676 mscorsvw.exe 1904 mscorsvw.exe 1232 mscorsvw.exe 2944 mscorsvw.exe 1620 mscorsvw.exe 2484 mscorsvw.exe 2492 mscorsvw.exe 1772 mscorsvw.exe 2912 mscorsvw.exe 1780 mscorsvw.exe 2904 mscorsvw.exe -
Loads dropped DLL 51 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 2088 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 756 Process not Found 2944 mscorsvw.exe 2944 mscorsvw.exe 2484 mscorsvw.exe 2484 mscorsvw.exe 1772 mscorsvw.exe 1772 mscorsvw.exe 1780 mscorsvw.exe 1780 mscorsvw.exe 920 mscorsvw.exe 920 mscorsvw.exe 1276 mscorsvw.exe 1276 mscorsvw.exe 1772 mscorsvw.exe 1772 mscorsvw.exe 2432 mscorsvw.exe 2432 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 664 mscorsvw.exe 664 mscorsvw.exe 2284 mscorsvw.exe 2284 mscorsvw.exe 932 mscorsvw.exe 932 mscorsvw.exe 2492 mscorsvw.exe 2492 mscorsvw.exe 1972 mscorsvw.exe 1972 mscorsvw.exe 1716 mscorsvw.exe 1716 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 1308 mscorsvw.exe 1308 mscorsvw.exe 2252 mscorsvw.exe 2252 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f08b467bae4ef42b.bin aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zG.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe mscorsvw.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5513.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5AAE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F4F.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4692.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3EA6.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56C7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7CDD.tmp\ehiVidCtl.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP48F2.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E92.tmp\stdole.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2692 ehRec.exe 2488 aspnet_state.exe 2488 aspnet_state.exe 2488 aspnet_state.exe 2488 aspnet_state.exe 2488 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2168 efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: 33 2788 EhTray.exe Token: SeIncBasePriorityPrivilege 2788 EhTray.exe Token: SeDebugPrivilege 2692 ehRec.exe Token: SeTakeOwnershipPrivilege 2488 aspnet_state.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe Token: SeSecurityPrivilege 2088 msiexec.exe Token: 33 2788 EhTray.exe Token: SeIncBasePriorityPrivilege 2788 EhTray.exe Token: SeBackupPrivilege 1728 vssvc.exe Token: SeRestorePrivilege 1728 vssvc.exe Token: SeAuditPrivilege 1728 vssvc.exe Token: SeBackupPrivilege 936 wbengine.exe Token: SeRestorePrivilege 936 wbengine.exe Token: SeSecurityPrivilege 936 wbengine.exe Token: SeManageVolumePrivilege 1636 SearchIndexer.exe Token: 33 1636 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1636 SearchIndexer.exe Token: 33 1668 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1668 wmpnetwk.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeDebugPrivilege 2488 aspnet_state.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeDebugPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe Token: SeShutdownPrivilege 680 mscorsvw.exe Token: SeShutdownPrivilege 1848 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2788 EhTray.exe 2788 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2788 EhTray.exe 2788 EhTray.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 1248 SearchProtocolHost.exe 1248 SearchProtocolHost.exe 1248 SearchProtocolHost.exe 1248 SearchProtocolHost.exe 1248 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 2076 SearchProtocolHost.exe 1248 SearchProtocolHost.exe 2076 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 680 wrote to memory of 2408 680 mscorsvw.exe 47 PID 680 wrote to memory of 2408 680 mscorsvw.exe 47 PID 680 wrote to memory of 2408 680 mscorsvw.exe 47 PID 680 wrote to memory of 2408 680 mscorsvw.exe 47 PID 680 wrote to memory of 684 680 mscorsvw.exe 53 PID 680 wrote to memory of 684 680 mscorsvw.exe 53 PID 680 wrote to memory of 684 680 mscorsvw.exe 53 PID 680 wrote to memory of 684 680 mscorsvw.exe 53 PID 680 wrote to memory of 2848 680 mscorsvw.exe 55 PID 680 wrote to memory of 2848 680 mscorsvw.exe 55 PID 680 wrote to memory of 2848 680 mscorsvw.exe 55 PID 680 wrote to memory of 2848 680 mscorsvw.exe 55 PID 680 wrote to memory of 1732 680 mscorsvw.exe 60 PID 680 wrote to memory of 1732 680 mscorsvw.exe 60 PID 680 wrote to memory of 1732 680 mscorsvw.exe 60 PID 680 wrote to memory of 1732 680 mscorsvw.exe 60 PID 680 wrote to memory of 2024 680 mscorsvw.exe 61 PID 680 wrote to memory of 2024 680 mscorsvw.exe 61 PID 680 wrote to memory of 2024 680 mscorsvw.exe 61 PID 680 wrote to memory of 2024 680 mscorsvw.exe 61 PID 1636 wrote to memory of 1248 1636 SearchIndexer.exe 63 PID 1636 wrote to memory of 1248 1636 SearchIndexer.exe 63 PID 1636 wrote to memory of 1248 1636 SearchIndexer.exe 63 PID 1636 wrote to memory of 1724 1636 SearchIndexer.exe 64 PID 1636 wrote to memory of 1724 1636 SearchIndexer.exe 64 PID 1636 wrote to memory of 1724 1636 SearchIndexer.exe 64 PID 680 wrote to memory of 2460 680 mscorsvw.exe 65 PID 680 wrote to memory of 2460 680 mscorsvw.exe 65 PID 680 wrote to memory of 2460 680 mscorsvw.exe 65 PID 680 wrote to memory of 2460 680 mscorsvw.exe 65 PID 680 wrote to memory of 2596 680 mscorsvw.exe 66 PID 680 wrote to memory of 2596 680 mscorsvw.exe 66 PID 680 wrote to memory of 2596 680 mscorsvw.exe 66 PID 680 wrote to memory of 2596 680 mscorsvw.exe 66 PID 680 wrote to memory of 2540 680 mscorsvw.exe 67 PID 680 wrote to memory of 2540 680 mscorsvw.exe 67 PID 680 wrote to memory of 2540 680 mscorsvw.exe 67 PID 680 wrote to memory of 2540 680 mscorsvw.exe 67 PID 680 wrote to memory of 2568 680 mscorsvw.exe 68 PID 680 wrote to memory of 2568 680 mscorsvw.exe 68 PID 680 wrote to memory of 2568 680 mscorsvw.exe 68 PID 680 wrote to memory of 2568 680 mscorsvw.exe 68 PID 680 wrote to memory of 1016 680 mscorsvw.exe 69 PID 680 wrote to memory of 1016 680 mscorsvw.exe 69 PID 680 wrote to memory of 1016 680 mscorsvw.exe 69 PID 680 wrote to memory of 1016 680 mscorsvw.exe 69 PID 680 wrote to memory of 1980 680 mscorsvw.exe 70 PID 680 wrote to memory of 1980 680 mscorsvw.exe 70 PID 680 wrote to memory of 1980 680 mscorsvw.exe 70 PID 680 wrote to memory of 1980 680 mscorsvw.exe 70 PID 680 wrote to memory of 2232 680 mscorsvw.exe 71 PID 680 wrote to memory of 2232 680 mscorsvw.exe 71 PID 680 wrote to memory of 2232 680 mscorsvw.exe 71 PID 680 wrote to memory of 2232 680 mscorsvw.exe 71 PID 680 wrote to memory of 2496 680 mscorsvw.exe 72 PID 680 wrote to memory of 2496 680 mscorsvw.exe 72 PID 680 wrote to memory of 2496 680 mscorsvw.exe 72 PID 680 wrote to memory of 2496 680 mscorsvw.exe 72 PID 680 wrote to memory of 900 680 mscorsvw.exe 73 PID 680 wrote to memory of 900 680 mscorsvw.exe 73 PID 680 wrote to memory of 900 680 mscorsvw.exe 73 PID 680 wrote to memory of 900 680 mscorsvw.exe 73 PID 680 wrote to memory of 1508 680 mscorsvw.exe 74 PID 680 wrote to memory of 1508 680 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1388
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 264 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1e8 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 254 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 26c -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 294 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 24c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 26c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 29c -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 270 -NGENProcess 24c -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 224 -NGENProcess 2a0 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2d4 -NGENProcess 298 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2dc -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 298 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2a0 -NGENProcess 298 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 298 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 298 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2fc -NGENProcess 2e0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e0 -NGENProcess 2a0 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"2⤵PID:900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2a0 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"2⤵PID:1928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 31c -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 304 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 31c -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 324 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 334 -NGENProcess 31c -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 31c -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"2⤵PID:1096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 33c -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 324 -NGENProcess 340 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2c8 -NGENProcess 348 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 348 -NGENProcess 344 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 354 -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 348 -NGENProcess 350 -Pipe 224 -Comment "NGen Worker Process"2⤵PID:1432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 358 -Pipe 324 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 358 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 350 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 360 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 360 -NGENProcess 34c -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 348 -NGENProcess 36c -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 374 -NGENProcess 348 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 348 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"2⤵PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 354 -NGENProcess 344 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 350 -Pipe 37c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 11c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"2⤵PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 11c -NGENProcess 344 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 384 -NGENProcess 350 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 390 -NGENProcess 378 -Pipe 38c -Comment "NGen Worker Process"2⤵PID:664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 354 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:2768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 350 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 378 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:1852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 354 -Pipe 11c -Comment "NGen Worker Process"2⤵PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 350 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 378 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:2044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 354 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a4 -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 398 -NGENProcess 354 -Pipe 390 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3a8 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3a4 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b8 -NGENProcess 3a4 -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 3c8 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d0 -NGENProcess 3a8 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 3bc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3d4 -NGENProcess 3d0 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3e0 -NGENProcess 3b0 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b0 -NGENProcess 3e0 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3e8 -NGENProcess 3a4 -Pipe 3b8 -Comment "NGen Worker Process"2⤵PID:2220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3e0 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3a4 -Pipe 3d0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3a4 -NGENProcess 3e8 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3c0 -NGENProcess 3f8 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 404 -NGENProcess 3f0 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3e8 -Pipe 3dc -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 3e8 -NGENProcess 3c0 -Pipe 3f8 -Comment "NGen Worker Process"2⤵PID:560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 410 -NGENProcess 3f0 -Pipe 3e8 -Comment "NGen Worker Process"2⤵PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 3f0 -NGENProcess 3f4 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 418 -NGENProcess 40c -Pipe 404 -Comment "NGen Worker Process"2⤵PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 40c -NGENProcess 410 -Pipe 414 -Comment "NGen Worker Process"2⤵PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 420 -NGENProcess 3f4 -Pipe 408 -Comment "NGen Worker Process"2⤵PID:2908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 420 -NGENProcess 410 -Pipe 418 -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:560
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2304
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1044
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1708
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:1760
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2520
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2448
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1792
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2332
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2084
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
- Modifies data under HKEY_USERS
PID:1724
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58db2a0b68c26bc6289ec28e19738f652
SHA1ba8ca90cfca0323aa8fde1fc1e350569cb64fcff
SHA25613850d75f7941acc9540c4b251baf7c3c7aa0b822942694f36b88036c7938add
SHA512e25a3c1e1207458f0c3932d5a1aeebaecaf4b36cc589f06e193f11f4ad7518a0cdedf8d00dcbd0a589d1e4464e8279bd7594434b328c4079c48cb81bae5fe3a7
-
Filesize
30.1MB
MD5fe4924f2d1954dac929fc614f7a91753
SHA1c702a7efec76d2b55963e3e3ed584082b39e2838
SHA25624e4cbf1758b4f72069b10731e5a07156616d7cd1deacf1b86dad5096992310f
SHA512fd264489e059ca6bc0ca174e7172f619f5329cbb3b52042f5d888b3e3fa2d148327e5a3ae2d6f4b7e12ac9310aff76157ee9dd4729b7592aaef34214c26ec466
-
Filesize
1.4MB
MD577467ba1fa4d01392005e525d0c7fb44
SHA1e26fb1eb06a4a985e914254e218c348fd3fc9776
SHA25616a4f864e533b2297c0d27aa7053d64f5045ef88c5998a8d3ffcf0622ee9625b
SHA51212943c6b8321acb57a8e37ab9ea6406f14d9ba13d8c918ba2054aa75e268b2dab65140c1338925d69b9e5e993b32643e5b332261212a450536d09db61bd631bf
-
Filesize
5.2MB
MD5f5fcbb370649d77328785383bbc4abb3
SHA1de521f4b2c918c7536c0b88d6877b1634fb035ce
SHA256f18ecec93eee08fe153735111ed021a0202b6c5a39d77fb1aa7e3e2045382099
SHA51242fd0c8c5369b64588ff8f0bc84fa36b8398276c10a47764bc58c3d01ad7b70731bd200467b80b31f14346bb181da1e6e89c9d54ec9ddf30913bd44acec639ea
-
Filesize
2.1MB
MD5855384151a9430da2cc0e91059ee6ecc
SHA17af68aeb332edf9bece4df6c0e7a61e77d2fc765
SHA25608f89191864228b092614751ac143f3afb85c364d2b8c01d7c98bd65bed3f00e
SHA512f2679aa21c3f2856bd16f096c469c64fa9830d3e2fa7bcdd96f6c27cedfa3710ba4d96f1d570b9512afabac96dd6296259d996e11161c601f8e88132bedc6347
-
Filesize
2.0MB
MD5751f9f0577d592810245da5bc1a28172
SHA1de85a413e1564bf058fd622a6fdcebcd9d649e83
SHA256a73b51e8191c1559adf6150ee14a6f9fefeeeb1e3fd4dda593a43cdab32e873f
SHA512586699b7e7d9ed9fc9e05e090d0b5b1d73ed17284d867da05189c7f90b5b6240b98ad11bc5a9ad71c684ff3617f8b2563a2f1a0060f82c9a6b9352f02326791c
-
Filesize
1024KB
MD5f41eb085f4e6d4416b38e3807cb84a47
SHA172293fd1a7100708bb84fb5ed63e13320bddca5e
SHA256152e8201eba0c19d5e1033f147c250d706079a5ecd9096eddb20cdf3acab83a3
SHA5128b41f08fbfced46614606fc1a2b7ec961910a00b5f4d05917973e25a94abdf304ee2fff5121e6807de24e115a301600e0148bdbf054363f9a5d9dfc793930376
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5964362bc6a999a46453e93bc8c6bb1e0
SHA11dd95817f97bd37dbabe276a55437ae8e740813f
SHA256d3124387e4d9620ce59d1c3ee4d3aefd98b6bcad7c5beaed543f702825a7a89d
SHA5129b90da5250639e8bbe99ce0c01a4cfedcd6bec42f162892d16465a006682fff9b974eb4b5cbbb3ec83f8f575502f97ad4d8971851acf00c0e67b0341e37b31f4
-
Filesize
872KB
MD5da16804c9061b04c55e86aa600b1cd3a
SHA1c18ae1a07d1e49ae6274d48fc60099f79420873b
SHA2564a81245bbb23df5a2b276ada979af2122215e582e9208e195171ef74a9775f45
SHA512b012a0c714daf27c109da1dbfe4f17cf7ee4e49f61a14a0ec8b9465612f31508e8545f63e571005f7b1a02ca44c4fdd71feca0ac2e6da37df81f0743af98fb1d
-
Filesize
1.2MB
MD50b84869223881efaa428bb0f2fc8b163
SHA1549aa6c496aeefa679dd1c2e11df819c927f8938
SHA256db7fab52d760b009802a43533bfb0208af4ce5a44f67b129f238030143ea2172
SHA5127e65b4b1ba11355e01c7b9ac59c6d17b9df00540ea082c340324e89d11c59aa9ed5f16d794715d6908a11ce4149e56fa1dca4f5d0b31094f34b0f7f70eaa5d75
-
Filesize
1.3MB
MD52eb343d3452eab357d58c905cd6ab646
SHA1de02ee89c15d62a15dc3e56a1921ec13ec4f0c2a
SHA256e317aa85aa7c3a4da7a8bfbd9c9e80cc1098409009c56c8847c19763ec2ea46c
SHA512ca5cac44c90cf362c21cc1f8e44ba99bcbd59a799eaed2a542f61e1548f6c93f55e33813ae2391b7abb5af80186ebc33d2cbfce1dc6e409aa68143f1d37fe44c
-
Filesize
1.2MB
MD585e6655d350eddb72196334e4dc38a59
SHA1019e25f405d0c9ce444b7b8722e8c12bbbe01794
SHA25645fe31021ce3e588336e46f6af6e962ba17af8dc0c5803fc2bda5c1a173bef33
SHA512f5ac58480f10b144f9745544d2f691a3bf056c2ddee076403145e55873249d3528ac483676272e7a4365958753b6e9248238e23cfc959ace6a4e363ec7261b90
-
Filesize
1003KB
MD5bdcde99bfaf21edcdd9c28d1edae81b2
SHA1ee7e7e479a42f1ce92c409352ab8c52360c6e778
SHA256fc8608ad70586f319b681bc3b85b88ddbddf43187cfdd3c3fcfea96526d96038
SHA51295f7fd1a7089124f83ab44ba9ec001b96b75c068378f23a8aff12862734f12ff7b6750fc30b96921c1084a8c92a5c2f935ef3c08002f313dc812cce2f5242201
-
Filesize
1.3MB
MD52a52653acd1d12cdbf5ecc10e48c428f
SHA1c87d14296d681312ba893d2fb759c760c82a2d2d
SHA256c2e06a3b0bc53708a4e892ab0b23d5c771e4205ce31fe6ad90715e2eafd5ca20
SHA512683ecffacb0a7f637659b2de8ffeb9ee83abbf28199943de241137e58ea6942a09873ad1c69bb4a9abca4f72346f2662746e2e2d4503b09c432a3820ad0865e9
-
Filesize
8KB
MD567795593bb4c623ab6cfe65449442708
SHA194e50429d3a0272881fcf1da540070ada08cffdc
SHA256360cba4e3f424389dd92ac55e245344909fac66dd605aa8c0e1326e599f62381
SHA51219150eb485243c245e8f8b2bbdbe1987c79ea07c39839964b02be62f9f0857ba114bd356c17f9adfbaceb5327d16553f05ac80ded582c6ecabe885e5829e69d2
-
Filesize
1.2MB
MD54861432135b5c29fc8052f6f463e6d54
SHA15ed9af85ce808370b4ff30485718319c2aecc5b8
SHA256c85dce7f92717b388044e2dc2b1e5c3358dc08cc20359955337a842127dac2e9
SHA512abe2dd770e6bd9326d53fdec96c529696e347e5b6ceb54076186a1e3ac0052412b8b63c9fc6b84def281b78bf250f70e57b541e3ecf0ad42b8140a5563e87171
-
Filesize
1.2MB
MD51b91794748ff13efc24c3148d679d56c
SHA16acecb503660517f3f354e732ef937b031c10ce5
SHA256a3d4168b777ac16ffc691f06d35e134bd12424aa78e3b739a958a9071c600248
SHA512191acbd936e754168e5699f3ee4078bc3acf4f6b8110295173fe9e2cb89b03188d2ec72dcfb3f05b4f96ad51747a8f0efe55380c93dcfa716e776f73d3f74504
-
Filesize
1.1MB
MD54d30a914bc17d72098f60a248f9a6ccf
SHA1a0b4d604137ea6713052bbe766ac3b627a623a99
SHA256d36ef03b29aa8e78a07355d39fe71995ed917df4b2baec4dc1959c32fb792b86
SHA512d003a1c62098f911d164470346122a857df9fc2a57039e4ef3dc56f539f01d1ed0c1814943fdfe90f579300c2f2bc4cc0132eef040c20e95786810b8d4466aba
-
Filesize
2.1MB
MD505e62dccdaa79c2cd4025170d022c6fc
SHA1815ee29c5a670b62949aa8ff520d0d8f6b49ddb6
SHA256a312ac5b10df4aa75fe11f205290e84d67a1708abb23fee39d304f431ee91a42
SHA51219b6080ad05ae5015cdde747814a484766bad70a6ca4c86f838a5590b99b2ed0239285cdacc62bb84d3ffe47018e1496e55b8790daac38f4b19e6d67aca5e335
-
Filesize
1.3MB
MD5567c4ce8ebd81c83620f90151591ba0d
SHA132e67b7611398a0a4fb5c1519ec97b35a3c19a94
SHA256e750feb6cabfb0e16ef77c816115ccb7e658fb9bc3be5a8722bec8b186c2cbff
SHA512fe87f55f240a4fffb242846610bc3ee37ec7f8520426486c9de969a42b3d751f6d330e5ce5d1459d3b50d66b46af75655a3d3a47b2fa4675902a96eb04fa8a6b
-
Filesize
1.2MB
MD5b784ec76bf97e92bbeb9f174e3e35695
SHA1928d2ad0bcef6a1c06716a8c03cb40a66cfba228
SHA256f5aab337ae4719c04a39d422001e2aa4b983145f4a0dc438c476e41b01d2a859
SHA5125b575157e672402562ac48f7c691a1d482634329309d98316ee43e0516e2e6acdee19815bb36e0438a293e32a3273dea599614303324f53c7e2c95acfd42189d
-
Filesize
1.3MB
MD54921cb49609e90de6da11c2929696243
SHA1442515ec40d969b28c1ccc85086836c10cd0adb5
SHA25685b58aed1ec77aa88ae1ed37cc86d37076014ac5dfb7e9c2a9cbedd3c4fe88a4
SHA51283229f2a3c87e26a16064e28c62b99170c507ca32b0369a3c1ce36605ac6499bcfa8804627a9a2ffbb711538d31b3af6d9ab678d06f7bce8e1949d00ed5af15b
-
Filesize
1.3MB
MD51f76b0402c2126ce53128baac51f22a8
SHA1a5ccdbf2d5b81aabc30f57ccaadf617bab7bb04e
SHA2561a4119585e4a2452ff41e7fa44f4320dcf1d2e2f4b4589465a6731e05c682963
SHA5128317b01391c92f18c41ca95de8b05dd5a818650acd7008ec77dbb2fbbd2155b4ec0122b71c8abb05022fc1fa1a03b51465970f91e6fcde3c83aadd8c8b973d4c
-
Filesize
1.2MB
MD551369a5b32056485dae601bb28339e3b
SHA1ba6c01207268a029e0c4c305e0047a2423be165b
SHA25681d226e006bb0bfb6459f726f43a44647822ac3db9910b181d00ef1eb0e3414d
SHA512caafe259120287178a483e0d8c8e8244fa0097e28a5d26059af8060fb12df1aed1bc8a42d9758d52b56773e1912e95a255e7c4696f8f3b2f01eb8b47e06fcc01
-
Filesize
1.7MB
MD5b9d48630290370dd8a7f226b84482c98
SHA1b6a58d4f02a9e0d4515052c31a72ce6bccaafc77
SHA25693c17b80e9ec55b5e795e844fbe218fb8dcbe92d0f51090960a9ff4278e98cbf
SHA5129a73fc6cbfc87982839f64bb72609bb8b7aeb84a9d82468b70d5d84afd913b00425377d9fcab117771133b36d55fc24f9cf094a0ec6198fe2a282bc60036a35e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0646bce6d6dd23f4fc7933bfbf871f07\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD59c1cd1fb21f305ff423d8039c9d85537
SHA137b180848d779b4647cbe9b53511362596cc013b
SHA2565d681a14713a210e9fca8756a8ad9aa95966dc9fec2548a8cc90072f3871538d
SHA512075ffa9ee357868cf30c9752990e125b0c66468d7b16c5aa88cf0a54697df1d1ac345424bb3528a13e8d97225fb57d29e21233afc7cdc926eb7471041f0110f3
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1060e2b12ed721d7e6832479db02d691\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5f2e50e153aa6a46e90f3a263e647c550
SHA182eb1f859a1d8a2d08f9eee4ce3489ea61d548f5
SHA2561a3a40f111e1134027328bbd9653466e7a763423c273b5edd64188cf5a546b98
SHA5127066239052daade6b9e15082e4b612e1b3cc75a08fb2cfa8fdc2f677cd140b6c6d2c60b888f91421c792fbd9920f1ba0fff418f740e1790c476e15cd626dd354
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\457428d43abfa62e872fdc7117e0f2dd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5f9dc97e103a19a0a6ebb4944e9917850
SHA1ea385a8744cc7d4f1b9e6d1cc611174a68f918fd
SHA2560ff21d3bb65da2218658debab8fc3e31ab92d5cec188bfede9884e9fe5bd3769
SHA5127f1c0724414bfb7d2c959a0e101dfa93dd4a83f7c37f9a7321c4e3621f06d07b6d60220cafa07f7ba8ee439d012b734a06711e69cbbcb48dcfea8ef1fe3b4d57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD51dda4b7efaf5bb9d3f34c9510f2fe0e9
SHA123838de7c63a821afcbe00df55d7e8db63abe095
SHA2562159cc0960eac7e85482453c9f5fa72fb124d94241cfd129d366ca3fb9af660d
SHA5123cda2d76a1bbd5f8fbd062bebb9c5e3db274a291cd106502390bf42f6a1777a64cde01dadd26b2981d0c28f7dde9f0b67fe2074fa9f66e995b84b516651fc09f
-
Filesize
1.3MB
MD5bf4ae2490dff0328d7a9492f57784715
SHA133ea041c0bef3d31c2f3df63630c70682a27d1c8
SHA256465e81beaf8b67d072cc61b4d3ede020af8d4ebd26ab0f3e403ed0e6950060c5
SHA5125bdb92a5cda5e69daf898472143b5066bdd19e2026f9cbd35578db39eb76cd4e5990b862be2f47a9d0eaf30f53a01b9ebf476a7e600d2255a513a93b86c38d62
-
Filesize
1.2MB
MD526319506701d88e1c11ba9428a5e1085
SHA15c0232b520fe20800a02747d1c2cb612ab369e35
SHA2565d45c3562dedda9752fde7582febb56bf47a90e0298dac337ffdfd6f743863b1
SHA512ea5f016d4a1a66959d80795cbd86697128d99e8a430d606b53ce4a730a3925300d7db52693984c579f5fe0e1b6f962809771873626a9db4bd1fe23da65a2025d
-
Filesize
1.3MB
MD5c349edfb648dbc9ed8152b8aff585035
SHA1c7aba5baab0e6f9cc9f7216d7965ebc3ab4c39a5
SHA25605a6a5ec5c9749935bdc5122d68822cefbcce0f3d89e053db77b113e8fc157c4
SHA512708db08ceb186f45bdc2da1468f39264389656614b6db1e58c1a4c61adb112fef9d8d99990fac5954a9573de20e103bfb36d6ee01aa33efe45ba86611ac4604a
-
Filesize
1.4MB
MD5aff796936f7002e6cdbe91231a4d7dac
SHA18d3c92b88f02d69305a9f89d7208db76405c6b4f
SHA256a9c78a4ee0514e94451c74d6cdabc8d7b58054269f2f91b1fa8fadc69eb01954
SHA5124543d306fa234f44562a75b7c0bbf9617af253e71a3e72f00855d3413ea3f4cbff278415c3dea2919f6da4c98617de1473447874ddae4c184e9eb9f744a56084
-
Filesize
2.0MB
MD51069fabd260cba92bb9510d0a1e35edd
SHA1e1407229db0338b934a21337844403a1b4c13c8f
SHA256487d79694325ac9ab7bd0df0b5e8b99ece26fe11ce4ef001591fab2fcfad5fed
SHA512c051f7c991566b4aee39ec3ce6ea88ca339280454fcd80948f9605019dbd34b0918534e223ea1dcd0756443faa7e433dc934329f311945f9822da3ce7c94eb99