Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe
Resource
win10v2004-20241007-en
General
-
Target
69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe
-
Size
1.8MB
-
MD5
08d32de70897f0686481c389dda45774
-
SHA1
af902f928bd04becf7ea4e60fe7be196e7b8cdf2
-
SHA256
69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1
-
SHA512
a35d905af6fb901d39e3fcd141b6fad78806267b4103e1613c0598c81e47a3b1afd2db7a13656720e9c61e57cc0a021c9b05e13e532e232838ade1c9f3d1fcd1
-
SSDEEP
49152:kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAAB+kn3Hnx:kvbjVkjjCAzJR+k
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2560 alg.exe 1708 aspnet_state.exe 2196 mscorsvw.exe 2104 mscorsvw.exe 2516 mscorsvw.exe 2464 mscorsvw.exe 2272 ehRecvr.exe 320 ehsched.exe 1680 elevation_service.exe 2032 IEEtwCollector.exe 2920 GROOVE.EXE 2780 maintenanceservice.exe 2136 OSE.EXE 2368 mscorsvw.exe 1120 mscorsvw.exe 2988 mscorsvw.exe 2848 mscorsvw.exe 2128 mscorsvw.exe 1896 mscorsvw.exe 2936 mscorsvw.exe 1240 mscorsvw.exe 2788 mscorsvw.exe 2712 mscorsvw.exe 2820 mscorsvw.exe 2876 mscorsvw.exe 2752 mscorsvw.exe 2564 mscorsvw.exe 2212 mscorsvw.exe 2640 mscorsvw.exe 2908 mscorsvw.exe 2520 mscorsvw.exe 1152 mscorsvw.exe 1716 mscorsvw.exe 2656 mscorsvw.exe 2604 mscorsvw.exe 2616 mscorsvw.exe 612 mscorsvw.exe 2496 mscorsvw.exe 1720 mscorsvw.exe 2180 mscorsvw.exe 2024 mscorsvw.exe 2980 mscorsvw.exe 2780 mscorsvw.exe 2528 mscorsvw.exe 1536 mscorsvw.exe 2408 mscorsvw.exe 2640 mscorsvw.exe 1696 mscorsvw.exe 2492 mscorsvw.exe 1240 mscorsvw.exe 1716 mscorsvw.exe 2760 mscorsvw.exe 2612 mscorsvw.exe 2292 mscorsvw.exe 1980 mscorsvw.exe 1972 mscorsvw.exe 3040 mscorsvw.exe 2060 mscorsvw.exe 2268 mscorsvw.exe 1896 mscorsvw.exe 2892 mscorsvw.exe 2716 mscorsvw.exe 1480 mscorsvw.exe -
Loads dropped DLL 43 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2780 mscorsvw.exe 2780 mscorsvw.exe 1536 mscorsvw.exe 1536 mscorsvw.exe 2640 mscorsvw.exe 2640 mscorsvw.exe 2492 mscorsvw.exe 2492 mscorsvw.exe 1716 mscorsvw.exe 1716 mscorsvw.exe 2612 mscorsvw.exe 2612 mscorsvw.exe 1980 mscorsvw.exe 1980 mscorsvw.exe 3040 mscorsvw.exe 3040 mscorsvw.exe 2268 mscorsvw.exe 2268 mscorsvw.exe 2892 mscorsvw.exe 2892 mscorsvw.exe 1480 mscorsvw.exe 1480 mscorsvw.exe 1616 mscorsvw.exe 1616 mscorsvw.exe 2504 mscorsvw.exe 2504 mscorsvw.exe 236 mscorsvw.exe 236 mscorsvw.exe 2344 mscorsvw.exe 2344 mscorsvw.exe 1664 mscorsvw.exe 1664 mscorsvw.exe 3016 mscorsvw.exe 3016 mscorsvw.exe 1612 mscorsvw.exe 1612 mscorsvw.exe 2832 mscorsvw.exe 2832 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Windows\system32\fxssvc.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6dfc04e15f6c6349.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\goopdateres_id.dll 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\goopdateres_el.dll 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\GoogleUpdateCore.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\goopdateres_nl.dll 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\GoogleCrashHandler64.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files\7-Zip\7z.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUME2A2.tmp\goopdateres_hr.dll 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDBCE.tmp\stdole.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAB4D.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAED5.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB970.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1C2.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCE38.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D12.tmp\Microsoft.Office.Tools.Common.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2880 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2248 69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: 33 1748 EhTray.exe Token: SeIncBasePriorityPrivilege 1748 EhTray.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeDebugPrivilege 2880 ehRec.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: 33 1748 EhTray.exe Token: SeIncBasePriorityPrivilege 1748 EhTray.exe Token: SeDebugPrivilege 2560 alg.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeDebugPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2516 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1748 EhTray.exe 1748 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1748 EhTray.exe 1748 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2368 2516 mscorsvw.exe 45 PID 2516 wrote to memory of 2368 2516 mscorsvw.exe 45 PID 2516 wrote to memory of 2368 2516 mscorsvw.exe 45 PID 2516 wrote to memory of 2368 2516 mscorsvw.exe 45 PID 2516 wrote to memory of 1120 2516 mscorsvw.exe 46 PID 2516 wrote to memory of 1120 2516 mscorsvw.exe 46 PID 2516 wrote to memory of 1120 2516 mscorsvw.exe 46 PID 2516 wrote to memory of 1120 2516 mscorsvw.exe 46 PID 2516 wrote to memory of 2988 2516 mscorsvw.exe 47 PID 2516 wrote to memory of 2988 2516 mscorsvw.exe 47 PID 2516 wrote to memory of 2988 2516 mscorsvw.exe 47 PID 2516 wrote to memory of 2988 2516 mscorsvw.exe 47 PID 2516 wrote to memory of 2848 2516 mscorsvw.exe 48 PID 2516 wrote to memory of 2848 2516 mscorsvw.exe 48 PID 2516 wrote to memory of 2848 2516 mscorsvw.exe 48 PID 2516 wrote to memory of 2848 2516 mscorsvw.exe 48 PID 2516 wrote to memory of 2128 2516 mscorsvw.exe 49 PID 2516 wrote to memory of 2128 2516 mscorsvw.exe 49 PID 2516 wrote to memory of 2128 2516 mscorsvw.exe 49 PID 2516 wrote to memory of 2128 2516 mscorsvw.exe 49 PID 2516 wrote to memory of 1896 2516 mscorsvw.exe 50 PID 2516 wrote to memory of 1896 2516 mscorsvw.exe 50 PID 2516 wrote to memory of 1896 2516 mscorsvw.exe 50 PID 2516 wrote to memory of 1896 2516 mscorsvw.exe 50 PID 2516 wrote to memory of 2936 2516 mscorsvw.exe 51 PID 2516 wrote to memory of 2936 2516 mscorsvw.exe 51 PID 2516 wrote to memory of 2936 2516 mscorsvw.exe 51 PID 2516 wrote to memory of 2936 2516 mscorsvw.exe 51 PID 2516 wrote to memory of 1240 2516 mscorsvw.exe 52 PID 2516 wrote to memory of 1240 2516 mscorsvw.exe 52 PID 2516 wrote to memory of 1240 2516 mscorsvw.exe 52 PID 2516 wrote to memory of 1240 2516 mscorsvw.exe 52 PID 2516 wrote to memory of 2788 2516 mscorsvw.exe 53 PID 2516 wrote to memory of 2788 2516 mscorsvw.exe 53 PID 2516 wrote to memory of 2788 2516 mscorsvw.exe 53 PID 2516 wrote to memory of 2788 2516 mscorsvw.exe 53 PID 2516 wrote to memory of 2712 2516 mscorsvw.exe 54 PID 2516 wrote to memory of 2712 2516 mscorsvw.exe 54 PID 2516 wrote to memory of 2712 2516 mscorsvw.exe 54 PID 2516 wrote to memory of 2712 2516 mscorsvw.exe 54 PID 2516 wrote to memory of 2820 2516 mscorsvw.exe 55 PID 2516 wrote to memory of 2820 2516 mscorsvw.exe 55 PID 2516 wrote to memory of 2820 2516 mscorsvw.exe 55 PID 2516 wrote to memory of 2820 2516 mscorsvw.exe 55 PID 2516 wrote to memory of 2876 2516 mscorsvw.exe 56 PID 2516 wrote to memory of 2876 2516 mscorsvw.exe 56 PID 2516 wrote to memory of 2876 2516 mscorsvw.exe 56 PID 2516 wrote to memory of 2876 2516 mscorsvw.exe 56 PID 2516 wrote to memory of 2752 2516 mscorsvw.exe 57 PID 2516 wrote to memory of 2752 2516 mscorsvw.exe 57 PID 2516 wrote to memory of 2752 2516 mscorsvw.exe 57 PID 2516 wrote to memory of 2752 2516 mscorsvw.exe 57 PID 2516 wrote to memory of 2564 2516 mscorsvw.exe 58 PID 2516 wrote to memory of 2564 2516 mscorsvw.exe 58 PID 2516 wrote to memory of 2564 2516 mscorsvw.exe 58 PID 2516 wrote to memory of 2564 2516 mscorsvw.exe 58 PID 2516 wrote to memory of 2212 2516 mscorsvw.exe 59 PID 2516 wrote to memory of 2212 2516 mscorsvw.exe 59 PID 2516 wrote to memory of 2212 2516 mscorsvw.exe 59 PID 2516 wrote to memory of 2212 2516 mscorsvw.exe 59 PID 2516 wrote to memory of 2640 2516 mscorsvw.exe 60 PID 2516 wrote to memory of 2640 2516 mscorsvw.exe 60 PID 2516 wrote to memory of 2640 2516 mscorsvw.exe 60 PID 2516 wrote to memory of 2640 2516 mscorsvw.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe"C:\Users\Admin\AppData\Local\Temp\69919b299d23d2ac2f3eebefda974592243ea2aa4e3bab6483b479291b408da1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1708
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2196
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 250 -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 260 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 24c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 26c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 290 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 23c -NGENProcess 280 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 280 -NGENProcess 274 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 240 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 23c -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 254 -NGENProcess 294 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a4 -NGENProcess 240 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 1c4 -NGENProcess 274 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 2d0 -NGENProcess 268 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 274 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 254 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 254 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2f0 -NGENProcess 2e0 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e0 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f8 -NGENProcess 2d0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f0 -NGENProcess 300 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 314 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 268 -Pipe 310 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 318 -NGENProcess 308 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 308 -NGENProcess 300 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f8 -NGENProcess 31c -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 31c -NGENProcess 318 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 328 -NGENProcess 300 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 300 -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 330 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 328 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 338 -NGENProcess 2f8 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2f8 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 320 -NGENProcess 33c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 33c -NGENProcess 338 -Pipe 30c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 348 -NGENProcess 330 -Pipe 318 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 330 -NGENProcess 320 -Pipe 344 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 338 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 338 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 320 -Pipe 33c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 320 -NGENProcess 350 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 360 -NGENProcess 348 -Pipe 330 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 35c -Pipe 268 -Comment "NGen Worker Process"2⤵PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 320 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 338 -NGENProcess 35c -Pipe 340 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 35c -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 364 -NGENProcess 328 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 378 -NGENProcess 370 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 370 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 37c -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 11c -NGENProcess 378 -Pipe 364 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 384 -NGENProcess 374 -Pipe 370 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 35c -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 388 -NGENProcess 11c -Pipe 36c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 11c -NGENProcess 328 -Pipe 390 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 118 -NGENProcess 38c -Pipe 368 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 118 -InterruptEvent 394 -NGENProcess 35c -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 328 -Pipe 374 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 38c -Pipe 384 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 35c -Pipe 388 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 328 -Pipe 11c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 38c -Pipe 118 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 35c -Pipe 394 -Comment "NGen Worker Process"2⤵PID:584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 328 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 38c -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 35c -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 328 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:2240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 38c -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 35c -Pipe 3ac -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3bc -NGENProcess 3cc -Pipe 3c0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 35c -Pipe 3b4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 328 -NGENProcess 3c4 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 378 -NGENProcess 3d0 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3d0 -NGENProcess 378 -Pipe 3d8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3dc -NGENProcess 3c4 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 38c -Pipe 3bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 378 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3ec -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 35c -NGENProcess 3e8 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 3f0 -NGENProcess 378 -Pipe 3cc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c4 -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3e8 -Pipe 3e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 378 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 404 -NGENProcess 3c4 -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3c4 -NGENProcess 3f8 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 27c -NGENProcess 2a8 -Pipe 1ec -Comment "NGen Worker Process"2⤵PID:2504
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2272
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:320
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2032
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2780
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD503fe00368b8d71bd57baf49167f77f7a
SHA12fa38a622b917ccc8025fb178dea809c491e5823
SHA2563046978357c4ff914bf2e404eb8c589c36e391e1b70f0f6c01d38c7d880443fb
SHA51224e46513fe0acfb22eddf8d7cd4ec300c083019c82dad25a9027b71ae8ad6c0accdfb6f708d85a7465b776d35dfe093d9db3b844f75d4348fd1f6d4226013368
-
Filesize
1.6MB
MD5e9f387b51e66560d528754d7856e496a
SHA181f9e6b7ffc61dfbe0f25253736ea29cfab58827
SHA25660b1a992c87d94d8650fe161c1a4809c49b4eeee6eb5accf2d7603625cc6e3a6
SHA51245616ca46eeb09876560d105fb5e5cceff2f364b0cca1e7d91fe0416ae02285ddd08a163b2cf1047f407f4906d962b67e734d648bdddfd90feeb150c1d434100
-
Filesize
1.3MB
MD56501eeb1edfe0d719c14a7e72c4546c3
SHA19751dbf447986775ffa51a3ec39264b6f01bbed1
SHA256f6b9671fe6ebb9675d58317e84deda6db1d06d2c2fc8e738ef1547a52fcfa4c1
SHA512fee9a884a5db31c7f9974a22e8baa04998323a93184c76d60fe771c11b09af42068095dde074f57bc45ce24bc6542ce48997dc498b7eca61b872f9da404f7ae3
-
Filesize
1.7MB
MD5eec1d847488393aa551d2508745cafa1
SHA19814b1a6d0ca451f138fdbd771792104b1b6e041
SHA25612f44a6b17e8a7ff57de60059feaaa0dfd9c7f1be46beb528f8125236a251f3c
SHA5129c362c8b12bb6aa1bf4c508c0d972acd1450606e3290b068acf42349c836602e624b1feb6b9248e664478496d0df53a2c8f54cd25f9a3f76ee2081cc60f4a03f
-
Filesize
1.3MB
MD51045b44363f58d6ef05c6b2022814b69
SHA1904a18140cc1c29ef16de919ffd7a1e77ada14d9
SHA2563f66b58afff2aed1c67652fc03fddcb8a7f1b4b23968307fa134f5ef7c3f4df8
SHA512d5be7a8d253137c985216b5702e092e99fbdcb1d32e9201a53914daeee279fbda55b02cc113d0c04f42d46b350a6dd691b4a903325184be8e7f12b883ea2ff2c
-
Filesize
30.1MB
MD5d62792ad05e4acad329479f565ac61c1
SHA1974fc0d3367d415fba9268928e65ba5827fdbea8
SHA25639778a8df0be41531376bfcc065ef36c30820668338c9a9627800fda2739d7c5
SHA51286362370899f79ba4316a51fe446c4a543a0912df5604b9e4570c1565c892d95ad2ecfa25c25d61a0059201ebe1eee3b731012f75c08041152936013550ee3fc
-
Filesize
1.4MB
MD503eaabfa306f81297876faadc700e536
SHA1f97aa32909fcfaf44f88fe4002d9c352c55c7165
SHA256023c5d52087f5d7b899b2788c3ea0a662e7c053daeaf604fd3e90235e55949c1
SHA5129592a4a866a49b706bafd4eb9a83674ec9716ed6005e2c318152d500f07d156feb322ad78211da313d4615d897bccfb79f27bca5b73af7ae41ef01ec3193b57f
-
Filesize
1.7MB
MD52cdd26179b323372e0e001ed8e467173
SHA1e53c83c22314bacecab5c06cb4ae12cf46442cd7
SHA256c00503c7054b782ad10c05bf8fff948b76bf5de379e9146d72b15e55026645b0
SHA5128d628b76cd27e7a9964b43b336be5b0d304b4cc919309e4f49faf81bf8140e7af7dffee96a9c396f70893464c18ab6e900c9271e9bac2e07c00e366d7f3825c7
-
Filesize
1.5MB
MD5e89018709624a7f2cf464e0e1bf089b1
SHA1a66bbb1edd76c07c5652949e90d67e085caaa953
SHA256d80039508877a43cf9cb185789be2013e4534b5f878542e36c6fa7730d6f4d17
SHA512a4a1722fae5ff10f6e71c3ee85a69f1610702d6e02390cfabdbc790ea57c6b67b36a510a8248f8068d05c896659440c6eddea6a4bb217da59f6c4949e5b3f37a
-
Filesize
1.2MB
MD5186e3c7a0a1de5d48d7e1331f8a28046
SHA1a4d04baac3c6511c17f5172cb7597bbc56e5bafe
SHA256b3524ed22b363b05405aa3bf5f13aa6346fcb7f90759955d8adc5c21b55e6d11
SHA5129ed916fd485b0194ab105e3debcea58e12dec5e2f527c81ebd841a33f5b6710014875d007369fcc8aec154c8655b2e9d76e69fa8c59186159e1397776c799533
-
Filesize
1.2MB
MD5f2977fa7266e17a23808ffccf8f3a3b7
SHA151c5c2e61842cb1210a14a00a9341a2ba1c0942d
SHA25616e073da73b293923ca18864ed92f01379e60462231c315e59250fe197aad1ed
SHA512615aadd13907162d7c1caf54557be56a7f776f12346805063db670eebf5fa35e706b1961afc9888b3a4a7e6136035d554ff08112ad537de84e6076cfd16d971d
-
Filesize
4.8MB
MD5b8b5332b5e33e9db2f8412e7ba5defd0
SHA1416520955368ee9fc9404ceda5b0a795bb58e2ef
SHA2568b35b16816ff35777b1d5b3413619d71723d499254d657aec4caddda086e5a5f
SHA512a70c3b20fc3cdb786720421f3ec10ecefe50b14c35123875a55611744700f9133797eba13514f50af6d8ed8abafbbdfe869596989d9830b25f067e0e71b973f6
-
Filesize
4.8MB
MD5e6c4d63d2beaccf724dc4c49a6551fd2
SHA1446ee77dd97c756ab0ec13cb740ffe33f0398723
SHA2564a54d271c3c7fd1f301c92484ba57cc894492a6ee66c12cc5d36db8f76318f76
SHA512040b84af9a10b33de4a66979c7b134d8f403ded4a16383c97d5dd4f058104394a56153980b5facb2d5abfb2c20ec60ae8da319a12bfb8ed0f8ff7f2e035252a6
-
Filesize
2.2MB
MD5a1d20f7460dcd62bab06c11356ee2fc6
SHA187f37db6fabd826610849c425a0845e52b43df54
SHA2562a12e16c094770afc943c3db84ea1003ed019cd57c6d5129583a1ad2fa4d5836
SHA51217667ceb767ca5e90281d0d1dadb055a7440d4f3af424342dd49574a5a7c5674c429cd8c7f110bb49d9df25ab03ad7929a33e889aa3eea65e1a616a6e603a339
-
Filesize
2.1MB
MD5ad2058960b560ec6a91f569a3c352537
SHA178fddb4e5b8861bc7287b9329c7f39d2a378f096
SHA256603ceb9b6540662eb99ac26510f9074ba36a28d1174de5b4620c0c5a6397cae5
SHA512080f570b449dece7e49e79a07d66abdfbd2699d826a4e21a7193e1a4d27ac89603cb160763fe5a7576230a4486106e18ecffce96c915c856fb4291c59d694895
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD542386604e5c4ad8409844c66229abf03
SHA1fbffceee3a78eccd687f4a5b44080751b56b2653
SHA256dbd36bbc626687a235a6e0e6a6b07ef607e5d024ecc27f3f2462aef9a36e256a
SHA5129a26ef714be5fa9f82c63e673507e1610d720ff933d631df971547255c659f25b5c8feb11c0755014b47e7cbcc6cc82619ddfdd3da24739f9b87fa350025ca3c
-
Filesize
1.3MB
MD5804016cd542f051b145eba151f277b23
SHA1c24272a8b0a3fa03848d39a9bced6b67bf534ef9
SHA2562ec196c2df68f7fe5573cb051d9c3559bc1cf5b6525e6d171dca9169cd8c10a4
SHA512794fb9ab53f1e2b19c46b8bdca2dc504e3c6736dc07cad564b1d5871b55912695c5d0f0ba4dab8f3a1ab541b1c8235d837001135e77e865b599b4a5de2f17563
-
Filesize
1.2MB
MD5708a11dfe9e65b4ff79f3e828cf21d58
SHA1a1c464cadf851cb646eb6b20c56d62eabfae378c
SHA2569123b22bae2efb554107c64393ad4c6e4ca165e7adeb45daaa12906490353e63
SHA5128db19025907040e44884a603da31ec105786d05609367066fc8ad20ec9fda95822f069117e913585c5d0bbd9d6d7be88f306ff5e42867aace34089c7d9189989
-
Filesize
1003KB
MD582f61ffdcfba75e98196291a4116a1ac
SHA12ef771923a3d94f0145d26366cc80bbbce961eb4
SHA256c71ac79c1b4f013c893842e29941fab9714b7c21f28475f49d98117333d8429a
SHA5128d6efd5f5c5acbf307599f4366a3efe51e79e65e072a3a45ec86375f6df2ef6e009dbacf7cf7402fed7bc082d4fffa2281c92aa66011e5b4a2986dd42e9436ee
-
Filesize
1.3MB
MD5e9382e46b28ae312be22778b2ee75e4c
SHA1efa495e701af2636be308bb86bd8fddd4f51e421
SHA2567316c45cd52e8bed14fda504065493ad6ed8d545996d979375f254b7c688bdd8
SHA5124f985640223506b3ee3d74de476910c7afed0b20c5481ea2e86d9bb90900e2b537179a0304dde6740cf229e949f47e035429644d1f8140dd790b1b114d50be04
-
Filesize
8KB
MD585f7702c783ad186ea73c8aaa6b1b7d0
SHA19c1915242e1136def1e9859a93763060f2eaf96f
SHA2566290fbd55483f6d12dab9e34ff68b0c0a3be34cdeb64dbefdbf22a97fbb879f1
SHA5123850f5bc00c49ed4f92ab7db4acdda83431853f3c932d3a0e4abe92a7334e04ecee358c339242c66d368b7572031c2915a80496821f932204c452d58aed8ed6d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0204c4b34e25f2c9881634e6a8826145\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD57d20892f49d20510b873005778f448ea
SHA1a1566effd70c74ddb93b60416ed4b23acba5c612
SHA256d3fc8a60e1839a0d2b498719faf5ca4361adc7a9d39ad93cdeba4a2addaf7ed5
SHA512719ca76db87150e472ec15089f4f51e936a656bdf808d9a604cb7aad479305dab1d175130698060eb9fd6abbcebabc6849dd6e361195cb6cd27fd45871d5425d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3f879096d16bffa16dacb5d38152f8cd\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD582f63c73c502822adb0099a1560de64b
SHA1abc4e6a5121c519f89cd3e0ab2befddb32e5f599
SHA25632282df63f8d87fd9d693987e1baef58c2822bcc25ab47bcae2d8d7a4ba6978d
SHA512e699084e168af11a20715dcbf076aa7f90ab950df7c5626bf84e95648d6bf646de5c05803e03ab2a9cb1816b3ea6f3272d24245841f2560fa8544f608bb1465a
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD51fa4c663eb7f4f3f5e7547c8d2849c90
SHA17a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f
SHA2563febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166
SHA5123a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d65a332484d5e6f9dfc625b3a3a6d668\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5cd08f54589a07dd3cd306db76921597e
SHA10abf0a8b182df3a54ee9d96fb8d84ee06131b0c2
SHA25648ff64cc35648593eccc7d220a47102941d2607175bece03f260783a843d0e23
SHA51211511508441098b5c982f47cec39e06f10c65fb17b606559bd358e6dc4ed401481c07afd09c92b57172a5a6754be60b7298ad79d6dcb44ea6e67bf3564e28398
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD5afa82b30742ef6b9325453a4b7f8b042
SHA1fa0fca87805e043178645a7ec6797e6ae66e868d
SHA256495ddc5a97af08aff7b615c9d1dd44a194b5f5ee1afb1422f35ca4cfeca295f3
SHA51201c2fe2b8de5f4326bdf572af3ccf07cbaec7bcb0fe3ff092b9a7aa9b663af432cbf7ca721169166a7b442e729fec0368f36f37ea3df1b65744a5735da799892
-
Filesize
1.3MB
MD573a1828dc7f3bf83f5f9a4bfd8c9e02d
SHA10ad2e1fb00163c932ca2d00870290a2c1ba1831d
SHA2560712d7815f99ce7fdc533fea5c3c94b22a63b914f924abc150804aadc752f12c
SHA51221b3b7b78c556b19d801518fae5c3582bb1edf8fe61b9c0b4096aca60c47559dc591a150e198e1d8bc7eef1fc3b8cbc3d7be52599df5fd59c5e3e0d78481b031
-
Filesize
1.2MB
MD50bdea9d5e7ac7014fbba39d91586c5b6
SHA1f11fac9e436119cd8e0e20c43bb81b7ef28106d8
SHA25653b9882e5f6c064f231cbd1c01f5cea8f6c74b6353085d0bbc9bdda2728ccf60
SHA51216e6c7d968275d3df1362bcac62e34c778bfbbe6dde0e1b576e950022437643146910a5037ff45133cfb03a67114ce859cf772579ecd4c5ff485b82e6826a14d
-
Filesize
1.2MB
MD53bdc5f1db2025c730814732596c33449
SHA1f91b927d2c63dbfa995aeb6777e098bdf745c6ff
SHA25651048e0c9aa62a977aae8aa0add2f59b71d7f698f209e5d9ee00cc5c9e9e8376
SHA512ef561b62a96538d1cc6c67085517ad6c35e8e109dce9a085d11aabf16dad9f6486f59111488eca2f13f7a56374fe3c9213f6a8e46e04581928035ed719cc1b49
-
Filesize
1.3MB
MD51e22b8f415a9650848655ed308969a75
SHA193a449b589a19f7cf16c99862a7fc501c33c613c
SHA2564519d0bccc31d380d9b45c4f07a3aa0c1f6dfad38ae0fc3491ee407808c49f17
SHA512210d27a8e7093418a6dd734ca92a4c253b5879d04dd4dd905d30746776e1f4aab6d5f90c66afb0b010d1f89af4ba241562b41ff44a0bc3dd4b98aeaa6e3d5d35
-
Filesize
1.2MB
MD565726415af2c2b5b14dd46654f9408ba
SHA1f80a25cb4e6c625a09d94d0b0782638ac00a94a4
SHA2565c7dfe35f92c608c937b807d044d0a17ee69231747e77920a0fb2849884c8a70
SHA5120a7f109121a50fe8b33a2986f4334bbe629a3d46a77c66de6be78e734fb1d264600dc181894d2cb4049bbe831fbe33fa05daf037f006e0379e8925fbd3097436
-
Filesize
1.3MB
MD5973182c5b3cbeea8cbe4473bed17bf3f
SHA1753c59b901a361208acca6e362b934907e574c6c
SHA256a4ec6d17b17cd7be60410eb5bf794a428ddee46e1c38ab5af7b932055e7e8729
SHA512be3ca077c4860d3d26566b6ac8ccd363265a59a4c50da7681c136e860e29997a14f61849f86df3f8a33be81f81eb03ba1892e70aac3400cfbe49536b3b75dcf1