Analysis
-
max time kernel
78s -
max time network
86s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 15:22
Static task
static1
Behavioral task
behavioral1
Sample
qttabbar-v1.5.0.0b2.msi
Resource
win11-20240508-en
General
-
Target
qttabbar-v1.5.0.0b2.msi
-
Size
840KB
-
MD5
eb955a2d87dce195b5899c1d40a30af6
-
SHA1
c85d6f4476b2d01b5457bddc67a037bdf47e8709
-
SHA256
e0dacd6acb15428d2ee6f068bf2e8979013071fd2ee3ccf4a88f687a06f0b908
-
SHA512
146ffdafd4f85808503867ca3687c777ac9267f67aa2b1bb169be3b125f9c012c3ab550bfc80fd3684ef912a6fc32ac5fb67f86d2d7cd3ff8f3e78e4b4cfc533
-
SSDEEP
12288:3P7sn3MdpZ+7VUqI3t4P3/WOe/dSP/B6iX4r8MtDVGEq+5B/FgRd:/7sn3K+7VU/9a/5bor8MjqUXgX
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}\ = "QTTabBar AutoLoader" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}\ = "QTTabBar AutoLoader" msiexec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce} msiexec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 2 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\QTTabBar\QTHookLib32.dll msiexec.exe File created C:\Program Files (x86)\QTTabBar\QTHookLib64.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
ngen.exengen.exemsiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\tmp\CVYK6EC3\BandObjectLib.dll msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File created C:\Windows\assembly\tmp\0YIIOZTU\QTPluginLib.dll msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat mscorsvw.exe File created C:\Windows\SystemTemp\~DF91673A89DB9AF929.TMP msiexec.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA529.tmp\System.Configuration.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE724.tmp\QTPluginLib.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9693.tmp\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE00F.tmp\Accessibility.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA299.tmp\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB630.tmp\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8CA.tmp\QTTabBar.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C81.tmp\BandObjectLib.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat mscorsvw.exe File opened for modification C:\Windows\Installer\MSI855D.tmp msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat mscorsvw.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 3004 MsiExec.exe 3004 MsiExec.exe 2640 MsiExec.exe 2324 MsiExec.exe 2324 MsiExec.exe 1368 mscorsvw.exe 1368 mscorsvw.exe 1368 mscorsvw.exe 1368 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 3096 mscorsvw.exe 3096 mscorsvw.exe 3096 mscorsvw.exe 3096 mscorsvw.exe 3096 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2588 mscorsvw.exe 2588 mscorsvw.exe 2588 mscorsvw.exe 2588 mscorsvw.exe 2588 mscorsvw.exe 4340 mscorsvw.exe 4340 mscorsvw.exe 4340 mscorsvw.exe 4340 mscorsvw.exe 4340 mscorsvw.exe 4340 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 4392 mscorsvw.exe 2148 mscorsvw.exe 2148 mscorsvw.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ea03c27790712bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ea03c2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ea03c277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dea03c277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ea03c27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a333-2bd8835eb6ce} = "QTTabBar" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a666-2bd8835eb6ce} = "QTButtonBar" msiexec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a333-2bd8835eb6ce} = "QTTabBar" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a666-2bd8835eb6ce} = "QTButtonBar" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Toolbar msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\Implemented Categories msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\QTTabBarLib.AutoLoader msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\HelpText = "QTTab Desktop Tool" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QTTabBarLib.QTTabBarClass\CLSID\ = "{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7FFAB9CEBF85BC04F976C134A857425A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Class = "QTTabBarLib.QTCoTaskBarClass" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\RuntimeVersion = "v2.0.50727" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\HelpText = "QTTab Standard Buttons" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ = "QTTabBar AutoLoader" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTCoTaskBarClass" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories\{00021492-0000-0000-C000-000000000046} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\RuntimeVersion = "v2.0.50727" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\QTTabBarLib.QTButtonBar\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\Implemented Categories msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QTTabBarLib.AutoLoader\CLSID\ = "{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID\ = "QTTabBarLib.QTButtonBar" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\ProgID\ = "QTTabBarLib.QTTabBarClass" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTTabBarClass" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTButtonBar" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\ = "QTTab Desktop Tool" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\HelpText = "QTTabBar AutoLoader" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTCoTaskBarClass" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Class = "QTTabBarLib.QTCoTaskBarClass" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\Version = "17105156" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories\{00021492-0000-0000-C000-000000000046} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ = "QTTabBar AutoLoader" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\PackageCode = "43839E8269B307343A14610FC11FDF04" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\MenuText = "QTTab Standard Buttons" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\HelpText = "QTTab Standard Buttons" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MsiExec.exemsiexec.exepid process 3004 MsiExec.exe 3004 MsiExec.exe 1152 msiexec.exe 1152 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4512 msiexec.exe Token: SeIncreaseQuotaPrivilege 4512 msiexec.exe Token: SeSecurityPrivilege 1152 msiexec.exe Token: SeCreateTokenPrivilege 4512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4512 msiexec.exe Token: SeLockMemoryPrivilege 4512 msiexec.exe Token: SeIncreaseQuotaPrivilege 4512 msiexec.exe Token: SeMachineAccountPrivilege 4512 msiexec.exe Token: SeTcbPrivilege 4512 msiexec.exe Token: SeSecurityPrivilege 4512 msiexec.exe Token: SeTakeOwnershipPrivilege 4512 msiexec.exe Token: SeLoadDriverPrivilege 4512 msiexec.exe Token: SeSystemProfilePrivilege 4512 msiexec.exe Token: SeSystemtimePrivilege 4512 msiexec.exe Token: SeProfSingleProcessPrivilege 4512 msiexec.exe Token: SeIncBasePriorityPrivilege 4512 msiexec.exe Token: SeCreatePagefilePrivilege 4512 msiexec.exe Token: SeCreatePermanentPrivilege 4512 msiexec.exe Token: SeBackupPrivilege 4512 msiexec.exe Token: SeRestorePrivilege 4512 msiexec.exe Token: SeShutdownPrivilege 4512 msiexec.exe Token: SeDebugPrivilege 4512 msiexec.exe Token: SeAuditPrivilege 4512 msiexec.exe Token: SeSystemEnvironmentPrivilege 4512 msiexec.exe Token: SeChangeNotifyPrivilege 4512 msiexec.exe Token: SeRemoteShutdownPrivilege 4512 msiexec.exe Token: SeUndockPrivilege 4512 msiexec.exe Token: SeSyncAgentPrivilege 4512 msiexec.exe Token: SeEnableDelegationPrivilege 4512 msiexec.exe Token: SeManageVolumePrivilege 4512 msiexec.exe Token: SeImpersonatePrivilege 4512 msiexec.exe Token: SeCreateGlobalPrivilege 4512 msiexec.exe Token: SeCreateTokenPrivilege 4512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4512 msiexec.exe Token: SeLockMemoryPrivilege 4512 msiexec.exe Token: SeIncreaseQuotaPrivilege 4512 msiexec.exe Token: SeMachineAccountPrivilege 4512 msiexec.exe Token: SeTcbPrivilege 4512 msiexec.exe Token: SeSecurityPrivilege 4512 msiexec.exe Token: SeTakeOwnershipPrivilege 4512 msiexec.exe Token: SeLoadDriverPrivilege 4512 msiexec.exe Token: SeSystemProfilePrivilege 4512 msiexec.exe Token: SeSystemtimePrivilege 4512 msiexec.exe Token: SeProfSingleProcessPrivilege 4512 msiexec.exe Token: SeIncBasePriorityPrivilege 4512 msiexec.exe Token: SeCreatePagefilePrivilege 4512 msiexec.exe Token: SeCreatePermanentPrivilege 4512 msiexec.exe Token: SeBackupPrivilege 4512 msiexec.exe Token: SeRestorePrivilege 4512 msiexec.exe Token: SeShutdownPrivilege 4512 msiexec.exe Token: SeDebugPrivilege 4512 msiexec.exe Token: SeAuditPrivilege 4512 msiexec.exe Token: SeSystemEnvironmentPrivilege 4512 msiexec.exe Token: SeChangeNotifyPrivilege 4512 msiexec.exe Token: SeRemoteShutdownPrivilege 4512 msiexec.exe Token: SeUndockPrivilege 4512 msiexec.exe Token: SeSyncAgentPrivilege 4512 msiexec.exe Token: SeEnableDelegationPrivilege 4512 msiexec.exe Token: SeManageVolumePrivilege 4512 msiexec.exe Token: SeImpersonatePrivilege 4512 msiexec.exe Token: SeCreateGlobalPrivilege 4512 msiexec.exe Token: SeCreateTokenPrivilege 4512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4512 msiexec.exe Token: SeLockMemoryPrivilege 4512 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4512 msiexec.exe 4512 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exengen.exengen.exengen.exedescription pid process target process PID 1152 wrote to memory of 3004 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 3004 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 3004 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 4036 1152 msiexec.exe srtasks.exe PID 1152 wrote to memory of 4036 1152 msiexec.exe srtasks.exe PID 1152 wrote to memory of 2640 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 2640 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 2640 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 2324 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 2324 1152 msiexec.exe MsiExec.exe PID 1152 wrote to memory of 2324 1152 msiexec.exe MsiExec.exe PID 2324 wrote to memory of 4880 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 4880 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 4880 2324 MsiExec.exe ngen.exe PID 4880 wrote to memory of 1368 4880 ngen.exe Conhost.exe PID 4880 wrote to memory of 1368 4880 ngen.exe Conhost.exe PID 4880 wrote to memory of 1368 4880 ngen.exe Conhost.exe PID 4880 wrote to memory of 1540 4880 ngen.exe mscorsvw.exe PID 4880 wrote to memory of 1540 4880 ngen.exe mscorsvw.exe PID 4880 wrote to memory of 1540 4880 ngen.exe mscorsvw.exe PID 2324 wrote to memory of 1624 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 1624 2324 MsiExec.exe ngen.exe PID 1624 wrote to memory of 332 1624 ngen.exe mscorsvw.exe PID 1624 wrote to memory of 332 1624 ngen.exe mscorsvw.exe PID 1624 wrote to memory of 3096 1624 ngen.exe mscorsvw.exe PID 1624 wrote to memory of 3096 1624 ngen.exe mscorsvw.exe PID 2324 wrote to memory of 236 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 236 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 236 2324 MsiExec.exe ngen.exe PID 236 wrote to memory of 1148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 1148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 1148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2328 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2328 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2328 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2588 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2588 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2588 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4340 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4340 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4340 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4392 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4392 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4392 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2148 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2812 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2812 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2812 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 3296 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 3296 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 3296 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4892 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4892 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 4892 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2284 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2284 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2284 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2556 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2556 236 ngen.exe mscorsvw.exe PID 236 wrote to memory of 2556 236 ngen.exe mscorsvw.exe PID 2324 wrote to memory of 4212 2324 MsiExec.exe ngen.exe PID 2324 wrote to memory of 4212 2324 MsiExec.exe ngen.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\qttabbar-v1.5.0.0b2.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6942C0A007E85961132F798F06BF0E13 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 005BDD4CA3C47D95E4FB7E02929D548E2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E369BC958666F616486097680533DB7 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "BandObjectLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 294 -Pipe 2b8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 220 -Pipe 2a8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2a8 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 294 -Pipe 2dc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 2bc -Pipe 294 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2cc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2ac -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "BandObjectLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "QTPluginLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 220 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "QTPluginLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 260 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 214 -Pipe 220 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 224 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"3⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 248 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e578483.rbsFilesize
199KB
MD5c42e9f3356a485e83c84ec73007f6dd5
SHA1171d562d255957c6f6c7a6b89c8e241fac86dfa4
SHA256e3c2dc8f1536078f939db59422bb251012d538806744879a7c9eb7b6b15dc2fa
SHA512e83ef0df0e7fea8185f26fb6ce45c3c7063f68a742adee73efc80046f188f62e924a0b647e2c7474f840c6f3cd808daf6d4d631fb2f42749a58386cc2c761dda
-
C:\Users\Admin\AppData\Local\Temp\MSI42D5.tmpFilesize
50KB
MD5bd7f08c994addeca5b609760832e884e
SHA1b34b3e47ea634fc66372a4bf49dd313a211aa056
SHA2561549b4ddbd1059f733475d9e1b42715288150c51ccf166a5aff94154b91a8d1a
SHA5124493f8585326fc259237dd72ae1bf6a54f9986fd0dd29643cdc3eec120918cb86df13e4c1779b515515dea4421fad51d50e6949b2a02d5779eaa7fe355a545e1
-
C:\Users\Admin\AppData\Local\Temp\MSI610D.tmpFilesize
67KB
MD5d54dda22bb374be5ac6862ea757cad82
SHA1ff2a6710991145c039915869b3887536376b3b83
SHA2563b727a1a70641abae30bf2d0b3ba1edfcc44b2873364942b9ecd69bf57defb40
SHA512018fff3bd7f613f8546037c0b7bacb3a0abd35f51f6bdd33f913341196900da350d824a598616147784f01aba1a2ec0d7e6de2bd05964328028d5420361a5151
-
C:\Windows\Installer\MSI855D.tmpFilesize
85KB
MD55b58382b995125ce824bf396e64bcec1
SHA1323d5c15b6ffa611c88355aa68d6ca5b92494992
SHA256c59f6450eb73e5803220e2b75ac8c926fd001eb9ffe4ee8f1f5cf886a70c5f4d
SHA51269aca6c5b90e3568202af7105cb8fa3e832ffbb9c0bd89652c732165af9d240c45fa93c81da9d6b3c3e4ec6911e19972a63958a323214c212c119ac2dc716b3b
-
C:\Windows\Installer\e578482.msiFilesize
840KB
MD5eb955a2d87dce195b5899c1d40a30af6
SHA1c85d6f4476b2d01b5457bddc67a037bdf47e8709
SHA256e0dacd6acb15428d2ee6f068bf2e8979013071fd2ee3ccf4a88f687a06f0b908
SHA512146ffdafd4f85808503867ca3687c777ac9267f67aa2b1bb169be3b125f9c012c3ab550bfc80fd3684ef912a6fc32ac5fb67f86d2d7cd3ff8f3e78e4b4cfc533
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logFilesize
155KB
MD5489b74057dca758bb645a09b8cbd0de0
SHA1d295a5ddeb570062233cadf6c9229313fc55ed43
SHA256eb4cd522124e5093eb34c952e75493e654521a38a10af03ce57f1cecd7ef45cf
SHA5123f34dcb8209b2024d647494de6281c8cc7e383101082b9bc485f818ab9007c19de416bc2ae690baa15b3378748ea2abd7728ac7bef304ba24520614bb64c5ae3
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logFilesize
155KB
MD5268fd556ebf955dc7314e04064d5eeb6
SHA1f29d157e049928e068af8ec17e6e8948ef542753
SHA256627d7e919d4e87cbaeb17cc12730340acd79893603657cb77035f3a74338af40
SHA512ab43f843cccb278affc9134f78ff12ab5a7a77f9f49780e8af943c7023a6d650bf7e975497797954b1ca8c06a25d9ac3b6aeb60470d11542184d5a51d6ecf11c
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.logFilesize
146KB
MD5995babc72f744002b5fae8145e9425ab
SHA1362071d86ac53072232180521a9cd059f92cf0b3
SHA256f7502b8a08a2cdd146dd835a08151e2aa5f750ca78a736ebd7e629f6f4047953
SHA51296452417e06e4b695ea33ad1e62bf411b0b56b1f6bd98501232b60f7b1ebfdb671a835c5bf19fb690fb8987b7da4975c2e3f69a956216357d73306abdb9c7624
-
C:\Windows\assembly\GAC_MSIL\BandObjectLib\1.0.0.0__973461f1cd23d8eb\BandObjectLib.dllFilesize
28KB
MD50488729b655c9fb4d43997db23773688
SHA16e899508b6bad3aa94c99f335df50dc14cbcf02b
SHA2562d5d5ad117b3bd4ee93c36f817e011bcf1330ccf7539d287fc3019dd6a6e1445
SHA51236b7bc0c07980f375ddf47f6dd723b3f0a458906155a1dd45c5715d63108402ca0ca737824f1bb745de353fd394d98df155db02b0f4fa6f6e1059d20c6da103c
-
C:\Windows\assembly\GAC_MSIL\Interop.SHDocVw\1.1.0.0__973461f1cd23d8eb\Interop.SHDocVw.dllFilesize
136KB
MD583ab7cc9791e5f9093acc797f1d1e48a
SHA13b87bfc09f9f59237c45a260f2837c514f4bc7ca
SHA256b81c92a3f8a6064d05a9cd9f11c0b58cf2240974435f0f822b7c06231b12c61b
SHA5125783996199696b03826d62b2d19b8ebcc17964851045177031e7fe265842a5ba10c791e344d7e70016c3118981b6208d5526bf856bc503d9d02195e864d9bd0d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\10df751d5f95f37d9c88b64e1beb8dcb\Accessibility.ni.dllFilesize
25KB
MD5d7467485e45b04f8fdcd93ff0a3fa48a
SHA17197c9065062ca7f42dbb03ee2f49e14961d3c4e
SHA256ad553ff167e90219be73541b38b24bfe7367c1814d2c6eb098eedc0042cfd41b
SHA51297973a483797cdc8db4fada668afeecb5ff46820a19576e2bc795648caa5c3967f64c176389ff66635ecc3357265cd14a2d929d59f45ebb418685317bcbece5f
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\BandObjectLib\23b9fe8915c8d4f2962704af239e1ec1\BandObjectLib.ni.dllFilesize
51KB
MD5b4b9a1418e7633bed00ea1c46665a9f1
SHA16f6431bcbed58148d3bb961dd814401c68c587bf
SHA2569a91b4280d3e33a65e276ae40f00c6a72d1c5681bfe55569e8b2f169ae603723
SHA5127fa2a56e6bfbc44b74f426fc10278e408087aa29986818c8217c3303596356ff5cad1c3fe66a988951f67e60fbd5b0858549961aeb7dab1f4b0e0b2cb8ba0cda
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.SHDocVw\bd1d6d9d345cb930f5e34d8a2170b786\Interop.SHDocVw.ni.dllFilesize
336KB
MD599ff6537fe4e5768c5777daef2a45978
SHA1c717151bd4a49f6b0b388e00a250125926b5871d
SHA256572bf1a6686e49d7d01e262893b0e4d1a053cdc08b758550650b3154b6795b24
SHA51295c873335bf5ea604c62c9f4778e66e29e245c5fda6df2cfa33a9f38ca2452b97b43ab618b8d7873bf2cc148a849caecede4951b5604cd215c8870a846298d3a
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\QTPluginLib\b2763391993e536947c1bf73d3d8edd3\QTPluginLib.ni.dllFilesize
68KB
MD5577539339941c58e8167cf1a328f0cc6
SHA1a2cd69fd5413c9703b9d89cd5ca5f2c91598be46
SHA256dc8c0c6f3c478e84bcba895264efa4bac2a8be5cc5c16fb71bf36c4d66e2b760
SHA5125bbeddda7c7a3a0a5566c1d21e8cb1d754c128e42ce68d67ef75d51151b9d07dbbb0c01c363ceafe428fd13b44b4b75aa0108e9d7445446e240857852630ee8d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\QTTabBar\088266f1c42ef1ca9fa5bc67b517cae1\QTTabBar.ni.dllFilesize
2.6MB
MD52aad024e9317e4dda066c90c9a93c91a
SHA151a9c276e15f6dff3e37d39607570a13e35a945f
SHA256234c7af63ccda72ac9700e502e7c0740b8f585136af09ef561710e495784895c
SHA51279937a91240d83eeb629ada372b956763f856e3b08a10ed9165bf5e64f9c1b31cc16fc8234c9b7ea4951847637f869c348c8d1ebccb4479cad5f9ef842437d1e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ecdb24396bcb9857fa0de5e002471e6\System.Configuration.ni.dllFilesize
958KB
MD51cb62f3d8911973b06103dc096991c11
SHA1ab5c4a252d2addb7fa040b5321046ceab58becc3
SHA2569a49cc144445723e87d94a3a9e9d38eb5f79a26895b9b47538060ced3b8b40aa
SHA512ef1b5ceac3662a1717a60d9f930534a8c72343d6484270d3bf97052f9a6388ab706b4aff694453b306dfa8fab3989536827286dfc3bbb1ff6367386a297b5a41
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\9c7a24561961e5eadea2dc93bb7c8492\System.Data.SqlXml.ni.dllFilesize
2.4MB
MD5aa0ddbf341004af7a4dd01c116580968
SHA14159cae44b546355f60a3b3eb3cba96004637380
SHA25638046b4dbc84a0af01ef479b6b54011fd4392fee5cfab6caa17bbb88fa7977e9
SHA51269e2f249e059f070b7803072c691db85db056d5dfd40377ff27683e75c0893f4af45629cef360b9d21be5a936a1299b6f5671e65f5216fc34dceaa787b1ee15d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\324e8e15d7b35ab06f77270d904a5def\System.Deployment.ni.dllFilesize
1.6MB
MD5fb5ac6b1c0ce8774b9be3c278f2e13e4
SHA1609a3915a4452df69d80d9acf1d94a9a23483ef6
SHA25624d43b799b9e4cd2605d5c69865753c67600195d6622cfb1a1960547b9ba2518
SHA5128356992a5415348c20fb5e8e4f28b23ed4923ee74fb8ca4c31725d1ead5d0e24bef303954b8d991e80533606a255dd75c01f59bd28cf6ed89cbda9aee8894fbf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d08771e80605c11c9fd171dc4e549e7d\System.Drawing.ni.dllFilesize
1.5MB
MD588d18286009d006166fb202312f7039b
SHA14bcac7df96a6a04f0e9e32270756c5e8e06a72ff
SHA256cf510e0fa61e87d59ed569a713b9b4e49ac75695cae3b22ef2ac24eea2b569ad
SHA5123df4ca1c5301df11db320964a1203fa7f6087f499e50e3985a2f9cbc356c210a18ec4b85309d61f68c957b57ec0226bd3ad75e4e22e4e4900bae4aba7ad934aa
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9dfe2dfe6827a2ae6da4f06e0a04402c\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
303KB
MD54c947dd62b018e5c81648ae4bde2db59
SHA181b30a695bf5aeaec4fa15cc97facb1acd171acf
SHA2562d78491eb040d73c25b607b37f189f55a58efd90c0140fe168d442f02386ba1e
SHA5128dce80408eb831b490a8f119b236919bdf50247d8740153fb696e5574ed34a9c5a76aa15dc0294029fb45f024dccb360865e68730d895a6e8b6fceb7dad178db
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\3b6d7bf601438839b52ad3eb480061f5\System.Security.ni.dllFilesize
705KB
MD56c9ca33de94dcdb888550b432c1d9632
SHA124fa19b9b96b880dd0c61c5b69bb4dce1161647c
SHA256beec57e255e4db1ead56a3fb147a8407352580b0e2a3e95abea569dac62ec511
SHA5125dd2deff15619bf401c1a0c2c02c39db750d0fee21128e4dd36fcc785d90a407b9c60d2375fe60c08c3d41a995e90365138a76f2434b5290c8c68eeb4a741503
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7e3c2dd0319b33bd46951a923b6c0bea\System.Windows.Forms.ni.dllFilesize
11.9MB
MD5e2569429243b123bca263865b75bcd04
SHA11f5b43c8257754ac1d6ced9955e062afa2b3f886
SHA2560801188d8398bb1611e4ee1178a38ef34b3571195261ca5dcf94bc2ae3b75a7b
SHA512d7d7199f0bf14d0cb3c347aec6806aa0d3d2e8748c87ac006eea3d385a0b1274bed76e3e6cac0ac66ef032b8c5d47cfc18f7e8e6e43d11cf5c3ae7ae7fbbffb8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b37a4f2d7acaa0e74eae1b056fa7dfc6\System.Xml.ni.dllFilesize
5.2MB
MD5c4b3a3cd8c8b8dcb27130915bc3b988e
SHA126a294f63ad52b65059251473e09d90c51b56f2b
SHA256f83a83b6cdc9c95a183b0cd841a6391db263fa27c44d57ec0fe7e577af158718
SHA5129f543eca80e2463d7deca3001d04380e9f15580d4951d7f3954abdd5f8a4f5879c807329de7d288db950caca36f5c417c0d1d0783637b2cc270661dfe298ecaf
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\e176a6d5cd5cdfd653e8096aa31617f8\Accessibility.ni.dllFilesize
77KB
MD5a2e50fcb10e8525c93dce6c99fbe43ac
SHA109a2d26a808f1c89b3673ca18c039dc59d26532e
SHA25670f98e52fc8bf0321b9562cccd5ab2f3b5062e9820909a3a9ad2c424c7b36bc3
SHA51292201aa57506ee3bae3c8e590806c6f01e79166df86c956d656b9b829cd17a7c550bbc2ab7659bd380a6f275324845586352078b480ab5c4212b72819e096071
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\BandObjectLib\c9dbb8e1c624ff666dcb4b63ab148b20\BandObjectLib.ni.dllFilesize
90KB
MD5c055c8a8a11ae0e764a8ea83cabd2ade
SHA196187011c15ca59b26a11e4cc72c1d6e98a5ee66
SHA2563591e03982d95c3006acf75187d45fe99baf7206f5c116841c44e4eced671ca0
SHA512507a0fe2ec20a9e0e9e6b1cd879d61d77f99e38d042ed7a28692814325eb6e87bf7752de53cfcb1dd44a6bcadc462dfae72c44ed540ae0944daccd7f3a4819f8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Interop.SHDocVw\7307b3dd97ffb95789cd98fbff1974d4\Interop.SHDocVw.ni.dllFilesize
738KB
MD5cdbf24191e91a0d6d4967703625938ce
SHA1e216ca287b73edb1c0f2b26535645c1626ec3658
SHA256a3567622a28cfa3df293df0e9297a4c07eccd25a73d104fa829e945e46e91bce
SHA512dc6ff58a07ee40c16f25b41f201c0c126503c53feea61cf9bbf6b185c928e65c4be86124e94217c55982f4fdd3158cc5c0cd3c9045bd4af6505e3573fd0f1391
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\QTPluginLib\0aafe72f12f3384ee662c819dc8681a5\QTPluginLib.ni.dllFilesize
165KB
MD5af6cd9c21c045fc76ca8e790058fc90d
SHA1a649fc6e5957af99356b32a7ecd739d93dc784b3
SHA256a23b9fc65932a9c552e4229896e0ad789c7bc15922020e22276f1edd45b57934
SHA51275e5f5a265999947a85de4b900e87b37a6cb34c8ad9686f3cd849e0a05652376e9e7fc0b958f19bed9c1936a3e4cf6bbde3dffe6fba5a64047d10965a5a76555
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\QTTabBar\58409835d5267f6f2cd4ba99a989f95a\QTTabBar.ni.dllFilesize
3.6MB
MD5c32ac1156d313261279093a201145388
SHA1cb2f74e16e67947328fbf2735acb81d941c6a72f
SHA2567d99087724dfd0d1825325f681244c5a5930a421aec4bdb2a397334ba0408bf7
SHA5121245064824b1ca458cb85736ded2889ee16572eac48632d17ebd80ce47416810ff463f82b0c8d18a0c40ad3870c617d9a3240e4ff485a7a95cca0604dc97e6dd
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\e4db39da8a3b5543110df6ddd38ffeeb\System.Configuration.ni.dllFilesize
1.3MB
MD5060d36538a1c937e32943af480971b3c
SHA1657c94ac480653524461015bdfe761dd212c31d8
SHA2566fbd851b513860f8354ed70c447ebb5f16754be86057c87dd6d46988f9507c08
SHA5124b8ff37bb1a9a43d672782f3fa3e9ace68a444bb71d8088842090e8c82fa5f2cbbfc2bdd12192af7949e269d8b957cc0bdc283469c15624efa47e4e1197c03ac
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\466db48c0235f1d6a651e870b94d9391\System.Data.SqlXml.ni.dllFilesize
3.3MB
MD57863dad6521ae06d91567a415e4476d2
SHA154325d3e8fc1e2b698c12f70fa3ab85ef4b5c523
SHA2560b038ffd06d568adc200d6a8909d3a05c3f66580ff13db3590797fe674825101
SHA5129d4ebb8490ba920d833947dbda98a830c82e1a94b98091f9fe8768de037e33334e1e27b3b31e88470a87a5c8357b808e1a6c7a77a5e1fe58b11990e00ae473c9
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\e440b98295230d470860686828cad356\System.Deployment.ni.dllFilesize
2.2MB
MD5056f22728c8c630c4034d8b07936ba1e
SHA10a9ed151742ac74d745f4a2a9f8891a191f29065
SHA256ab1f07fa49a944c47b29d52ccaf1b926985ed230c2ba78cbbbcd578231a5f9e8
SHA5124bab3240e6e6fb2ddcf5fde7be516cf64c0c1882ba5c9da7163b8174d3883d4985c52c25a00f0b4e0dfd717980713775a614024afbeebeb6c5ec8fdeba22619f
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\c7e28b9bc4375c076434dce6fd7bf657\System.Drawing.ni.dllFilesize
2.2MB
MD5d9c40ec0dadd4e902bf4e862c42a8411
SHA12527b3e1f404ec3030f6553cf54f466830c4b95d
SHA2564ce12ed8daef863e9aa208a1e66d8df449306bfa417f0beec43da0b545cbb23d
SHA5129b54ae2242080ab5b15a9c56e4c1991a9fa99b9df184835a5d7a0c166d68cc6af7316473bef186369d1d411c55d4b5631b848647327357bea181d3000708d918
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\73d2d7d094c2c3328313c73b10aedb97\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
387KB
MD54ae40df8d34370140a381717ab50ee43
SHA177e48136dade400051a769dbcfc00df53c418a26
SHA256229f36348993d723444e3efd8f7271a4faa5e1076e6d22ec74f0e81e0a988c44
SHA512b9f1debd3eb7ced28f864e5adf271b4f3a999f975b267112dbc4e58a7ecec8e4246f6a9093f576844f2365ce41de380e0a24838b999db345c7a6b236de647133
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\170c3a6a84f7509ab63e98937e4652cb\System.Security.ni.dllFilesize
960KB
MD56f61c6adae2b50681325a6dfddb29d62
SHA1c406bb31cdb08d38694efaf93b04cbb4f081d001
SHA2562b51e20e4debe5c2e697e032617b7d7d6d4251508e1423019e24bb851efe6faf
SHA512ed49b6cf1417d1bc9508ab586829c8437bda7f1bb572bfd06b7ebab894cafccadd653ec86b13052dff4fb19436c3e0e498f5541213c16fb653d2574ed13723d6
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\8207c013c0f0da13624762755d9e7c4e\System.Windows.Forms.ni.dllFilesize
16.6MB
MD5796a9ddd51615383d3fff96b38c6ddb9
SHA152bbe495b840a58bf0ea333ad2f685da8803ae5a
SHA256ba71dd4860e1fe1fbd91774f03cc637d7b890c610627280b41d4e29f15070457
SHA512aeff4108a6727093a59b12bace8893a6a332a950199537a251aac60a2e232fa0ca12bf51fc8223474b06f9a9fdcd5fa5b4fc678fe1890b15777f472bd20975be
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\c14588e2f9efa4d594f46143f50e7bcf\System.Xml.ni.dllFilesize
6.7MB
MD5b8b08ddba209e4919d9d3a08f565c29d
SHA1071f0742629bdc4218416180a2a73b5fcf8b54f5
SHA256536e053fa013c1999114139ea175c5622ac9ba98c39e76cb94537a7eb82087f3
SHA5129cf3e5cab9f994b4ae866cb3ea3cd7bb54a4dce3c033355355951a7722e28d94a1d05e3f55ed0e35d10edcf3680a57afc0ac8db37eba4e9e0f7b4c66486e7724
-
memory/332-81-0x0000029140FA0000-0x0000029140FC6000-memory.dmpFilesize
152KB
-
memory/1152-31-0x0000020F18460000-0x0000020F18514000-memory.dmpFilesize
720KB
-
memory/1152-28-0x0000020F16CB0000-0x0000020F16CBC000-memory.dmpFilesize
48KB
-
memory/1152-25-0x0000020F16CA0000-0x0000020F16CAA000-memory.dmpFilesize
40KB
-
memory/1152-22-0x0000020F16FE0000-0x0000020F17006000-memory.dmpFilesize
152KB
-
memory/3860-312-0x000002227D390000-0x000002227D444000-memory.dmpFilesize
720KB
-
memory/4068-226-0x000001A4F6E20000-0x000001A4F701A000-memory.dmpFilesize
2.0MB
-
memory/4292-293-0x0000019ABCC10000-0x0000019ABCC1C000-memory.dmpFilesize
48KB
-
memory/4396-218-0x000001A166620000-0x000001A16668C000-memory.dmpFilesize
432KB
-
memory/4720-203-0x000001B12FE60000-0x000001B13032E000-memory.dmpFilesize
4.8MB
-
memory/4720-202-0x000001B1169A0000-0x000001B1169AA000-memory.dmpFilesize
40KB
-
memory/4720-205-0x000001B12F290000-0x000001B12F2D6000-memory.dmpFilesize
280KB
-
memory/4720-206-0x000001B1169C0000-0x000001B1169C8000-memory.dmpFilesize
32KB
-
memory/4720-204-0x000001B12F170000-0x000001B12F20C000-memory.dmpFilesize
624KB
-
memory/4720-209-0x000001B131670000-0x000001B131728000-memory.dmpFilesize
736KB
-
memory/4720-208-0x000001B130F70000-0x000001B131042000-memory.dmpFilesize
840KB
-
memory/4720-207-0x000001B12F3F0000-0x000001B12F414000-memory.dmpFilesize
144KB