Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
20s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
Resource
win7-20241010-en
General
-
Target
2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe
-
Size
4.8MB
-
MD5
191b51a6c776ae3e80f3d4a4e0fc7c2a
-
SHA1
99f325838412867a0141c454229fde8de7dc47ae
-
SHA256
bda264b64178257ee2590c8c3fedeee851322a8f03a8eac970ea3c36c3822524
-
SHA512
b442c6c3718b3de89afde6e22b0b07c09d4ce3a52d3be92a2b55e0ccfcb9d55023325a30f6996ecb03c2921325358bc662046ba2200e6ec209258ab25020c56f
-
SSDEEP
49152:Qj8f3jtqiCLg9LK2hIOR+k9jdAsizqxSiZ4K5MZqkL92c6nkdmbD7iIerM1R6ZP6:7rZ4K5M+XD7iIewG+x6xZ14WB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 460 Process not Found 2976 aspnet_state.exe 2580 mscorsvw.exe 1164 mscorsvw.exe 1312 mscorsvw.exe 2924 mscorsvw.exe 1400 ehRecvr.exe 632 ehsched.exe 2164 elevation_service.exe 1824 IEEtwCollector.exe 3008 GROOVE.EXE 2568 maintenanceservice.exe 2276 msdtc.exe 2808 msiexec.exe 1572 OSE.EXE 3128 mscorsvw.exe 3144 perfhost.exe 3316 locator.exe 3480 snmptrap.exe 3588 vds.exe 3668 vssvc.exe 3800 wbengine.exe -
Loads dropped DLL 10 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 2808 msiexec.exe 460 Process not Found 460 Process not Found 460 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d88f189d5f6c6349.bin mscorsvw.exe File opened for modification C:\Windows\System32\vds.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\alg.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2144 chrome.exe 2144 chrome.exe 1592 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 1312 mscorsvw.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2924 mscorsvw.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: 33 1436 EhTray.exe Token: SeIncBasePriorityPrivilege 1436 EhTray.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 1312 mscorsvw.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 1312 mscorsvw.exe Token: SeShutdownPrivilege 1312 mscorsvw.exe Token: SeShutdownPrivilege 2924 mscorsvw.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2924 mscorsvw.exe Token: SeShutdownPrivilege 2924 mscorsvw.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeSecurityPrivilege 2808 msiexec.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeDebugPrivilege 1592 ehRec.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeBackupPrivilege 3668 vssvc.exe Token: SeRestorePrivilege 3668 vssvc.exe Token: SeAuditPrivilege 3668 vssvc.exe Token: SeShutdownPrivilege 2144 chrome.exe Token: SeShutdownPrivilege 2144 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2144 chrome.exe 2144 chrome.exe 2144 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1224 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 30 PID 1628 wrote to memory of 1224 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 30 PID 1628 wrote to memory of 1224 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 30 PID 1628 wrote to memory of 2144 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 31 PID 1628 wrote to memory of 2144 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 31 PID 1628 wrote to memory of 2144 1628 2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe 31 PID 2144 wrote to memory of 2952 2144 chrome.exe 32 PID 2144 wrote to memory of 2952 2144 chrome.exe 32 PID 2144 wrote to memory of 2952 2144 chrome.exe 32 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1872 2144 chrome.exe 35 PID 2144 wrote to memory of 1132 2144 chrome.exe 36 PID 2144 wrote to memory of 1132 2144 chrome.exe 36 PID 2144 wrote to memory of 1132 2144 chrome.exe 36 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 PID 2144 wrote to memory of 2360 2144 chrome.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-10-18_191b51a6c776ae3e80f3d4a4e0fc7c2a_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x19c,0x1a0,0x1a4,0x198,0x1a8,0x1403b7688,0x1403b7698,0x1403b76a82⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8129758,0x7fef8129768,0x7fef81297783⤵PID:2952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:23⤵PID:1872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:13⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2116 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:13⤵PID:2032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2964 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:23⤵PID:2916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1264 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:13⤵PID:2512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2964 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2940 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3848 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:13⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4184 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:3068
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fa27688,0x13fa27698,0x13fa276a84⤵PID:2504
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:2568
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fa27688,0x13fa27698,0x13fa276a85⤵PID:1828
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:4072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:3176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4256 --field-trial-handle=1368,i,1648727968789875584,5859385882420047508,131072 /prefetch:83⤵PID:3516
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2976
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2580
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2476
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1164
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 258 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2dc -NGENProcess 2cc -Pipe 274 -Comment "NGen Worker Process"2⤵PID:3896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2dc -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵PID:3680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:3992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f0 -NGENProcess 25c -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:3760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 26c -NGENProcess 2d4 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:3724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2ec -NGENProcess 300 -Pipe 25c -Comment "NGen Worker Process"2⤵PID:3292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 2d4 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:3820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:3488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 30c -NGENProcess 2ec -Pipe 26c -Comment "NGen Worker Process"2⤵PID:4036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2d4 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f8 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:3684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 310 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:3696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2f4 -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:3352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 2f4 -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:3556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f4 -NGENProcess 324 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:3744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 330 -NGENProcess 310 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 310 -NGENProcess 328 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:4080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 314 -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 338 -NGENProcess 300 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 324 -NGENProcess 320 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 31c -NGENProcess 340 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:3932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 3b0 -NGENProcess 380 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:4072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 3b8 -NGENProcess 31c -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:3880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 31c -NGENProcess 3bc -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:3716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3a4 -NGENProcess 39c -Pipe 31c -Comment "NGen Worker Process"2⤵PID:3988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 35c -NGENProcess 368 -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:3564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 36c -NGENProcess 310 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3e0 -NGENProcess 35c -Pipe 3dc -Comment "NGen Worker Process"2⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 310 -NGENProcess 35c -Pipe 3d8 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 3ec -NGENProcess 3bc -Pipe 3e8 -Comment "NGen Worker Process"2⤵PID:1396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3e0 -NGENProcess 3bc -Pipe 3f0 -Comment "NGen Worker Process"2⤵PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 39c -NGENProcess 3bc -Pipe 368 -Comment "NGen Worker Process"2⤵PID:3216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3bc -NGENProcess 3e4 -Pipe 3c4 -Comment "NGen Worker Process"2⤵PID:3796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3bc -Comment "NGen Worker Process"2⤵PID:3896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3cc -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"2⤵PID:1064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 3fc -Pipe 3c8 -Comment "NGen Worker Process"2⤵PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 35c -NGENProcess 3e4 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:3496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f8 -NGENProcess 410 -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 414 -NGENProcess 410 -Pipe 424 -Comment "NGen Worker Process"2⤵PID:4044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 438 -NGENProcess 380 -Pipe 434 -Comment "NGen Worker Process"2⤵PID:544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 380 -NGENProcess 428 -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:1764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 3fc -NGENProcess 430 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:3360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 440 -NGENProcess 430 -Pipe 3f8 -Comment "NGen Worker Process"2⤵PID:4072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 42c -NGENProcess 444 -Pipe 43c -Comment "NGen Worker Process"2⤵PID:3964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 444 -NGENProcess 428 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 44c -NGENProcess 430 -Pipe 264 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 430 -NGENProcess 42c -Pipe 448 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 450 -NGENProcess 414 -Pipe 438 -Comment "NGen Worker Process"2⤵PID:4040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 414 -NGENProcess 44c -Pipe 410 -Comment "NGen Worker Process"2⤵PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 458 -NGENProcess 42c -Pipe 444 -Comment "NGen Worker Process"2⤵PID:4044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 42c -NGENProcess 450 -Pipe 454 -Comment "NGen Worker Process"2⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 45c -NGENProcess 44c -Pipe 200 -Comment "NGen Worker Process"2⤵PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 44c -NGENProcess 458 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:3352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1fc -NGENProcess 430 -Pipe 45c -Comment "NGen Worker Process"2⤵PID:3168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 450 -NGENProcess 460 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:1688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵PID:3156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵PID:3968
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1400
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:632
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2164
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1824
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3008
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2568
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2276
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3316
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
PID:3800
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3952
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵PID:3392
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:3640
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵PID:1360
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 6082⤵PID:4000
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:1632
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b993eb36cc8ae1dd85a12f856af3d71a
SHA1c136046f66a5e5c71d659d8479629815b1b687ee
SHA25645830e500e29918338454e2a9b8a034bdc59b80430a8e65048819b74046dbba3
SHA5123f2b161f364b6964d8f83b72ecd5da305413033a7aee24c75d246d08b840972cc417996f9491ef59c68bcbd7063fa1bc4338745534b7eb86769d13dd4801d593
-
Filesize
30.1MB
MD567b6e71f9c8172417bb185c5e70f3d3d
SHA17a1417772757379d2a9ac8ea5fa4c78c3a1d3258
SHA2565d4568856f0aee8e258c939b88bfaf834a570c6aafc9cbcab0c86e3a341d0a57
SHA512164827936ac5a091945fc7a664ae5dcc866ad0833ada9532c59938b1211866ed589c263eb9a1020eaa49d21637445e56e5fcd3bd4fc989f32a44f5f33c729249
-
Filesize
1.7MB
MD5480567aacc9647a42a27b7272743c990
SHA1bebdd8878bafd425cd1ff927996720f1c6115d67
SHA2569341e4c0443aef56db4e0a17f7977f87aaff8cd78860319b0c8d157ae5ed1e92
SHA51291ee3dd77a8d365779c2c816c6f701c05afffa76c9f33028c030e71d2a05b849b77b2d637d8f63b10e6e5060844b718ec5942f83a0f0e22050b7b495eaebf4be
-
Filesize
2.1MB
MD56729c4f61fcd6b6075c6d58219fce4eb
SHA1cb1e1bed38c3cb21a16fa4ced541cc8f54fe309b
SHA256cbbe2d8d21fd8965184f660a66f3d7bc10c335959df0542429daebe48f67dec2
SHA51243e488a3b954f491697e0e67e3bec5dd168a0661367109361b6100d50c321597239e76768037fc12d63aa13e6d24006d1bd7d5cae8d0f0d998b9087688ec89fc
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
Filesize
40B
MD59b1c99d5245940563e9e81e95c4832ec
SHA11bc5970a797d7160879f1ab93559a23b736a2ce7
SHA2565e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45
SHA5126d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD53f363e591f7d1b14a41f6768194dd641
SHA1e831e7dbf296dcbc532ec9d818e097cb2a7120ec
SHA2564b751e54995c791a7fd8f60c946d7b9ce840d4eca161ffecd58d3b647358776e
SHA5126aed1efb3ea9acfa580e1d0b89db30e51936d05d1925cb38b4edbf4158c50180d72dd4ee086e42dcc8f5c47306dacac51cb3e96379e5b0357099e917e46ab4af
-
Filesize
4KB
MD5b521a55802a5eb386c048a82c74f95e0
SHA1aa2d778750c2285c71dd118e55b2daca13fcafbb
SHA256b22ce1c7c90e94a06eae66b1a16112a0f7761228483f756295cd1cc85ea58246
SHA5122721d1b41b690da60bfe0536bf38e435612793a66fb5e52623043a4ad80572f82aa71dfc5ad61937f3338724b478504abbcb012356a4e1df42616a730a9ef5ba
-
Filesize
5KB
MD58a215d5fb9c5b0e56ae35c411ca48b6e
SHA1588bbb042270d93a27ad4b44c3892f98d394095e
SHA25689fb8d51798220d2cb46d144bb362075fd836486d2b26b3315945170b3376413
SHA5129a578e8064420b0968de4b540561f88502deef92887d3b7e2a8f301c4e86694808a5075d2c41cc0a908a46a818bf01f80b3f3f9aaa3801332bb76415ff08e4f1
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
5KB
MD5a9468cf91e7ed394e2c44a6a027d8d44
SHA1a2f550912a89273bdc24ed3c3d42fd8431ed37fa
SHA256aa6bd7af41e4798aaad3595079b2dbd3d644d7b15864848e7fea25b1ace4e27d
SHA51280b47661349b9ad52ce09b0591041474b732c0fc03669671735b2660dc781a3f55b7fcc796166a0f9db061913e065620ef6281395591cd6a789f9a4d033c8419
-
Filesize
6KB
MD556f4b00a455b03ed179f8f316004b0c9
SHA15fed0161976d8515b681ddecdad327e95d5fdb87
SHA2564d16f9456a975933d302977cf9e85f4e2a6cb2a0fb9e3f29bc0df37fbde4e73e
SHA512b2a1acad8783ac6fe9056637e7fbe9f3ecf054b2c76cdcdb8b47016de45b33bbee2d537b907757cd65746cf3b252679e5ecae783e78dc7042b89dcdeb31476b7
-
Filesize
88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
12KB
MD523ede2d39ceb98bec66a942182e67698
SHA11a63c6f6845a266762cdc41abcedb050d82d4b75
SHA2565535ca1d7120aea49c899a4b287fa16d8db1289eba943be58621f3daa18014a2
SHA512d1abd1040687edaca240ca9d40dfca341a0199bc881fd571991a3facce5c43ea3f3b465a94dc9d5740b99aa1563bdadd463b9813e576a938b59214bf28cd1e52
-
Filesize
872KB
MD5fc81deb4aa5fef2db90e86ef4c1cf211
SHA165bd24f92371269b192a62f7e51ed6a10913bc90
SHA256350dd8919e0dffa885c3bb2c207dcf584f93605531bc07e0faad5a1a4e74eece
SHA5122ed7db8af824bad8d6794b929e05da59a4147cb80b33344f6cf8b93ba1bfff9def283e48904eab8d00a07e2d037d1079d9b0046cdeab44197fdc60fdc501481c
-
Filesize
1.5MB
MD52f55ff1749d5cda51e708048bbe0d1a7
SHA101bff54ecfc72d066a9ff6048a9d40c4ea689863
SHA256620644b1765a84f47a78b1dd754c2edc19859c44fb401afa599d8888840212a5
SHA512ef068d8c13f9aaff63c168b60daf3f5cb6e2fa49c56f307d3ea6f35648019c2dc660256307c40aaf345090ba77d98650d5bfc054305ff91f812b47b8053d7d07
-
Filesize
1.6MB
MD544642fc5ab06005005e273c87c67431f
SHA12fba64858193ddb344ca1f797ad7b6489070c89d
SHA2568cbee22e1194c7bb1b3d26506450b332ed6dd9b5f2e63bd11505b78c64807ddc
SHA5127476080366d7ecd3451ae90ea08425eb4c55ccf6527736f5a4320f37c5bc86ae5de9f0276c15e9651eecbd93bf6073a0aeec8792cdded706919cb2a87066b39b
-
Filesize
1.5MB
MD5d4f67cda99cdc406665c021038b387bb
SHA1e279816aaa9e58306d6341a7593104ae2e90b7c3
SHA2562e540ea82649a062141b4f87bfce5c7849dd3261c0569bd0b27cd7c585b141bb
SHA512e8244e2ea8d9ca29ce13313fb1c9492e58ff6dfb28c9d6a03b31284933bd0b7568d8b1731fa3fa28e559ccdcef597dd4dd877c827b96b7140042d501470c3744
-
Filesize
1003KB
MD550d76ba1b7ac0818ac9903a86000b018
SHA180cb9bd14ee7b20c0b382c39bd180e636f2c340e
SHA256a3f2b2a903c7006d365ad3988cbaa739a9e802c2b69206e6bab4ae1480158338
SHA5124d79c0093150009c33aafc742d14706e911b5f2e11ea4000ed6002e9d6a0add64dd593af7c2cf9c8989bdf123793717b28871818a1bbf1a7fa9ef19eb4d4e163
-
Filesize
1.5MB
MD5eeeb1dacb88871d6a5baec7c35ab76a4
SHA165e4534b7fd7248d9aaefbd9a68ead9ff005f04f
SHA25626d6b2805a04656ccb1f96f0b7146c93f734f30f35652eec4d45d77116f49a97
SHA512e9a320f188a0dfcafe2fddc08e307ebcff498db81c8fa7c9bd32a0bef25cfca1ae3238941add5ac68e3c0f9598d265603ffb87ed255667cf2f6207f86ca99832
-
Filesize
8KB
MD5a1c2fc5505508f7957e92c3411b32997
SHA171a2d0b108d6370761b43e8f0d785a8cadb6aacd
SHA2563a5b7634000d698e625ec250f016aaaed55fa138000ed15c2b0e07f885f0744f
SHA5127774c835631aaed45239bce085625fa3871e9168b2ea354055d3d76516c7125c68cb1fc8158b87c82a5419998ce3dd735c40b82ffe2f926c5936734a6d821694
-
Filesize
12KB
MD53f2ae857a5735058c6d9b85b93a22583
SHA150e883145dfd7ed5aee7e8a0b27e7f2def7fd5de
SHA256c9e5e46aeda90cf79addbc86ca4dd5b4a2cdbda6d4b0d90a468f2e7ef557a936
SHA512fafa28e2710e611409e705da6eac596ade96da2641ee2e8e95228df2b3a960efec19f3dc82c62a5f1e7beda5312ce6b08c601f2302d9a3b684752de0960ce640
-
Filesize
1.5MB
MD5120ed45dfec304472520632c05122010
SHA1e0c6f57252d3a053207f72fb62805433f9cdd55b
SHA256cd256f7eadf6cc84f7e9a674281a520b0c56b78db09c3221d461c641a944bfd2
SHA512b6d32e6a52ebdf2be584b6896661bf89f2bd945fdbc3bf48b35faab3b722fdb456c8d30bed90c6ee3b725aca14298bfdfafc8b8de843648ee6d1b52920422e80
-
Filesize
2.1MB
MD5f92ae4f4f027612006253b6afe519d6d
SHA1f4201146cea9c604d72882e0395b3be4c82297f9
SHA256199774c7313bd1ed82e1963e7cf5891b5fdf703b2d93ac1f351254214880f0f0
SHA512f1d9917dada6c537c82465b9bcb7835807d4551e3c4816776ab0ee5067bef0007bf15b59bfbcc93e387dffef4fe8e8970c1d49503edd2adf383813a6be3751fb
-
Filesize
1.5MB
MD5a602cb2ca751800ae62abd9f92fe35d3
SHA166f1d2087d8f39367fc16217a36949e85218104d
SHA25696454d7bc0ad2ba5b7a2f2766a8a0445025f23e0c693d462789d34a6a3e266ce
SHA512c858c717a4e6304d0596b1d519acb7340e6b4b90c244a03cbad33265c7d2a5cc12a03e2d88a8ff1d81115be3ca3b7f67f191d64d78868579d301b92e6f7e08e9
-
Filesize
1.6MB
MD5359677338245819c256dae8befa13344
SHA1466668f27f85aaae45dfce062bc6ec06052a08fb
SHA25606d47da5972add7382f3ff5585d826d096dd466f34b78788ab02c44f83a36757
SHA5123977c39a10aada6161351233ff2bc8b98548ad3a057d7f5b3c9ac5ffa03bdd8ed08aed47dc173191b68cbe691552f33218841f2b1d8f3dee4fab17608fe7a1a0
-
Filesize
2.0MB
MD5a917d8668c6efaeab5ddcaeae5010627
SHA1026edc3c4785f025e647171d43807012bdf5efb6
SHA256ccceb9d90d1d5560a685e6a19f5bbf86635df5e17c611a4e557052a781c1d5e0
SHA512e0a6ff8855de85747152f49bb56bc1be9685bb98af0ae3656082e8577a99fee55de9bafb8a867be43201ec65213f0f3a3350888cf288d1187f52ddf45ac98a86
-
Filesize
1.6MB
MD509785d1deb077a76d301d252b53244e0
SHA1b915360ced3eaef40e57d89122d546f04261722f
SHA2568471e311f634d3c70ad47de9a846662da3dbb3503cd7f73975c1bb933311ca95
SHA512b424c4c1b97928c1a88682678a48276a1b85cb4971a2a49cd37c5662ba499f1270fa37bd1c868eb92e09c6287c72f7373248cce28b0858bcabdb3d9476ebf405
-
Filesize
40B
MD5b1a762bdcd4b1659ae857d4c14ccc3c0
SHA19a55b5be5f35ad30afc7767b4e65dc39aa712c49
SHA256908b48e372e95e5e130a345a0987aa5b5f3427f254d46d8a808aa11c72888c34
SHA51254b81a912cc02832a7aeeefbe2ab42278a2901e34d3cfa9363fa830a4e619323f985d31ad47a49cb652250900526e06b7656de8f3bb7b6e3c4d0389b5cd700fb
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2e9e8ae98e049a0b14ef70104199c13b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5ea59020a29db125ee3d40e79467caa48
SHA1f7a90b5af36ed0445ca70e90a91de13f211ef8b7
SHA2562defb908b23e2b46d233aeb7e5fe54eb5cfd50f830f310306ecd83c2ded9c028
SHA512e6fe6db72351431fc088836eab5894b2f91c36bc99b9f7e6fcda6f9d77bef439b6e22eef0cf4c1de9493cb511d8cc4bc296eb8d0f127cc76774e97d9d8fd760c
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3b3e35ee7a80f64c4cb9b814dd7aa483\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5ef015a7af4ff48a699f7c1b6e2c5fb4c
SHA162f8da917edc3aa5e882ea2f99b30ea08eb3ded1
SHA256262f28025058456bb5a911b0218d06fb4cc7114ab14ce6024a289f95402a0182
SHA5123dfdc0c19083ea4005ad494e5fd9810857e348ece8029a834641d4f9f915e6731d2d540d91aa0c5790874c0ee35aeef4d7305c3393c9a36d19053a6281a4cc4e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5F5.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll
Filesize180KB
MD5fa7253075656048028917b85d04e29ba
SHA149fec95c3bbf488d3f3fbe798a0b102ab0974217
SHA256cff5fd8c893f1e9676af3e0a7c9ec0491f0bed68df9599fb1e76a279b3765f5b
SHA5121199ba5a1f13e75822a56efaf3f72603c06cf042d7f8a3357aa2dd96efef8424edbf99d25be5bc12b24092d5e8aa4d694dd704170f03cb7ac2ad4281645c4f0e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB90.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
Filesize
1.2MB
MD5bc27d65234abd95e75d63a6baf33d271
SHA174eda1edafb52fe59ad26558b177939adae62a85
SHA256a2c82023304ac9376e001d8f003aac15752049c1300bb5d8d59875e6816f6964
SHA5129168affecc5a7d2835924876dcbcac97d1f07de25d10cb96f9f270a1661eec6683cc47abfdf11a816f12bb05aae8a7efe260433da8588e20b77d192c668a363c
-
Filesize
2.0MB
MD5243e90462d253fec753642b493268d35
SHA1822497193dfb238a811a954210a73467cd19dc7d
SHA2564e86d282b1d62575bf66909e496d71bdb7e4781e228aed7c54160c7060224bbd
SHA5128dfb43604edf2955f2630d09eddac20094d659cee5245530edb2f821f8e362b6691205c988416cc176b7ce9f9abbf48901bc23225f71bd5b7ec13ac3bab18e1b
-
Filesize
1.5MB
MD5ff44975ed48afddedf9183794b8c477f
SHA1b3a1cdbed55d2011e8d646abf1302c52d339c87c
SHA256c4ff72f90b2dbc6a9ac03e9636466b0bd2fba0a5d93551b9fb6cac19c222425b
SHA512ce84ca6fe1eb82db610f5d6e8969fc03c5f792ba64ef04d0b044709bba72813ee117e525ad8eebce4ca21b830d6cc478086aaacbcb101c47004d4fdecb357149
-
Filesize
1.5MB
MD51f189821d5fbab04b49a699cfc5f6981
SHA124426583f01612ebc37d9a2840ccccd22e40d307
SHA256b4d3cc3f98328bf7377e7b5054ceda97952de820693f65e84e2c0820ef95c6ac
SHA512dbbc6fdb19a30c443471f47467e155439962c938a329201f3e8463cd32011f37e5a53592c5498361ff101578a4348447f4fbe8b53e023990f33e6ed339575d01
-
Filesize
1.6MB
MD56e7475a9fb449d9c5c5cd45be7807a42
SHA10f9857ee141623862a4a5df0ae1854998b7aca60
SHA25675a93a1cf2e90592c51b88ea6cac97c968795d7059aa4243e617e147a7894cee
SHA512450c9aa75121f15529f72f82687a46288d63ee0579960a2ad39a1ff6c5fc44de32d02ba8edb7d915923bb84791f38f0747c06e7a7881187460824e6fe68066bd
-
Filesize
1.6MB
MD5d1e82e19115f09156bfcaa04f42f6117
SHA12d9f55615c76cc7befa28a3b95b79bf6c92a324c
SHA2568dca24e90c52b4731d34720484284c77b06880a7cc3c46e5600aeb23218ccfaf
SHA51267f012e90f369fdcf8009846f91124bea70036fc950e5525f32173daf61f6ccd9f6e3adaa3de9d0fc8840bcca1f10108dd1ed39784985a10b372730f2ba84409
-
Filesize
1.5MB
MD51af8b7de174b951427328c1455d48175
SHA1739b1398c17e6488bab9a2644f3a3043f9b51cce
SHA25683002832c3ae2d5915d1525ba9a6de1ea69ca9bb4f203356885fae4c684a069f
SHA512309537e334fc451c9e6a6584e25f8a32ece571d188221f2a2c5c5653c3e6a5875d8241f619397e427354c88e94c93c53e9090cdc54f346f90e682a4b4de2363b
-
Filesize
2.0MB
MD5743a96e1dea9e00c91a9c1470d7e978d
SHA12d891a5edae477e4f4c82b3be80c9f3647911c3a
SHA256bd7468bd49f995e80043d53407e8aa8acbb798d75b24ea7a7178b456070385c5
SHA51260ab46ed69004a6438304d14218d046b65da8c00380bcbcc84a55729d0106ea7172e227f86d7b68742926df88fca3dff0f70177471ff73459fe9a5512d8aa563
-
Filesize
1.6MB
MD5a199c8c05946b15e00c7767e7413bce7
SHA1352e3da4d59ea1833c375c8edea6497968f6443f
SHA256fd39db522147d631fa2c462813527415047e89f9ee8ee544b5c1d7610715e5b6
SHA5129f8b9860c155be6d482a87d6c79a7f74b7b04ca159a6f8ddf709d24904a7609ea5dde543807332b0b3ef3b673ef9552ea67affb86f0dc66bf8416cd40fe6cc83