e0dacd6acb15428d2ee6f068bf2e8979013071fd2ee3ccf4a88f687a06f0b908

Analysis

max time kernel
78s
max time network
86s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qttabbar-v1.5.0.0b2.msi
Size

840KB
MD5

eb955a2d87dce195b5899c1d40a30af6
SHA1

c85d6f4476b2d01b5457bddc67a037bdf47e8709
SHA256

e0dacd6acb15428d2ee6f068bf2e8979013071fd2ee3ccf4a88f687a06f0b908
SHA512

146ffdafd4f85808503867ca3687c777ac9267f67aa2b1bb169be3b125f9c012c3ab550bfc80fd3684ef912a6fc32ac5fb67f86d2d7cd3ff8f3e78e4b4cfc533
SSDEEP

12288:3P7sn3MdpZ+7VUqI3t4P3/WOe/dSP/B6iX4r8MtDVGEq+5B/FgRd:/7sn3K+7VU/9a/5bor8MjqUXgX

Score

6^/10

adware persistence privilege_escalation stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}\ = "QTTabBar AutoLoader"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}\ = "QTTabBar AutoLoader"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2bf470e-ed1c-487f-a777-2bd8835eb6ce}	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\QTTabBar\QTHookLib32.dll msiexec.exe
File created C:\Program Files (x86)\QTTabBar\QTHookLib64.dll msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\QTTabBar\QTHookLib32.dll	msiexec.exe
File created	C:\Program Files (x86)\QTTabBar\QTHookLib64.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

ngen.exengen.exemsiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\CVYK6EC3\BandObjectLib.dll	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index18.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexf.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\0YIIOZTU\QTPluginLib.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat	mscorsvw.exe
File created	C:\Windows\SystemTemp\~DF91673A89DB9AF929.TMP	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA529.tmp\System.Configuration.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index10.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index17.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE724.tmp\QTPluginLib.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9693.tmp\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE00F.tmp\Accessibility.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA299.tmp\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB630.tmp\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE8CA.tmp\QTTabBar.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\indexe.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C81.tmp\BandObjectLib.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI855D.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index15.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat	mscorsvw.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
3004	MsiExec.exe
3004	MsiExec.exe
2640	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1368	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
1540	mscorsvw.exe
3096	mscorsvw.exe
3096	mscorsvw.exe
3096	mscorsvw.exe
3096	mscorsvw.exe
3096	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
1148	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
2588	mscorsvw.exe
4340	mscorsvw.exe
4340	mscorsvw.exe
4340	mscorsvw.exe
4340	mscorsvw.exe
4340	mscorsvw.exe
4340	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
4392	mscorsvw.exe
2148	mscorsvw.exe
2148	mscorsvw.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

4512 msiexec.exe

pid	process
4512	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ea03c27790712bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ea03c2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ea03c277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dea03c277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ea03c27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a333-2bd8835eb6ce} = "QTTabBar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a666-2bd8835eb6ce} = "QTButtonBar"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a333-2bd8835eb6ce} = "QTTabBar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{d2bf470e-ed1c-487f-a666-2bd8835eb6ce} = "QTButtonBar"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Toolbar	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\QTTabBarLib.AutoLoader	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\HelpText = "QTTab Desktop Tool"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTTabBarLib.QTTabBarClass\CLSID\ = "{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7FFAB9CEBF85BC04F976C134A857425A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Class = "QTTabBarLib.QTCoTaskBarClass"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\RuntimeVersion = "v2.0.50727"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\HelpText = "QTTab Standard Buttons"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ = "QTTabBar AutoLoader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTCoTaskBarClass"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\RuntimeVersion = "v2.0.50727"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\QTTabBarLib.QTButtonBar\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTTabBarLib.AutoLoader\CLSID\ = "{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID\ = "QTTabBarLib.QTButtonBar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\ProgID\ = "QTTabBarLib.QTTabBarClass"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTTabBarClass"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTButtonBar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\InprocServer32\1.0.0.0\Assembly = "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461f1cd23d8eb"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\ = "QTTab Desktop Tool"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\HelpText = "QTTabBar AutoLoader"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\1.0.0.0\Class = "QTTabBarLib.QTCoTaskBarClass"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\Class = "QTTabBarLib.QTCoTaskBarClass"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\Version = "17105156"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\ = "QTTabBar AutoLoader"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A777-2BD8835EB6CE}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\PackageCode = "43839E8269B307343A14610FC11FDF04"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A333-2BD8835EB6CE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\MenuText = "QTTab Standard Buttons"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\HelpText = "QTTab Standard Buttons"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2BF470E-ED1C-487F-A555-2BD8835EB6CE}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D2BF470E-ED1C-487F-A666-2BD8835EB6CE}\ProgID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F4FDE7A14E55D448006A3344C30056\DeploymentFlags = "3"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MsiExec.exemsiexec.exe

pid process

3004 MsiExec.exe
3004 MsiExec.exe
1152 msiexec.exe
1152 msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeCreateTokenPrivilege	4512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4512	msiexec.exe
Token: SeLockMemoryPrivilege	4512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	msiexec.exe
Token: SeMachineAccountPrivilege	4512	msiexec.exe
Token: SeTcbPrivilege	4512	msiexec.exe
Token: SeSecurityPrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeLoadDriverPrivilege	4512	msiexec.exe
Token: SeSystemProfilePrivilege	4512	msiexec.exe
Token: SeSystemtimePrivilege	4512	msiexec.exe
Token: SeProfSingleProcessPrivilege	4512	msiexec.exe
Token: SeIncBasePriorityPrivilege	4512	msiexec.exe
Token: SeCreatePagefilePrivilege	4512	msiexec.exe
Token: SeCreatePermanentPrivilege	4512	msiexec.exe
Token: SeBackupPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeShutdownPrivilege	4512	msiexec.exe
Token: SeDebugPrivilege	4512	msiexec.exe
Token: SeAuditPrivilege	4512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4512	msiexec.exe
Token: SeChangeNotifyPrivilege	4512	msiexec.exe
Token: SeRemoteShutdownPrivilege	4512	msiexec.exe
Token: SeUndockPrivilege	4512	msiexec.exe
Token: SeSyncAgentPrivilege	4512	msiexec.exe
Token: SeEnableDelegationPrivilege	4512	msiexec.exe
Token: SeManageVolumePrivilege	4512	msiexec.exe
Token: SeImpersonatePrivilege	4512	msiexec.exe
Token: SeCreateGlobalPrivilege	4512	msiexec.exe
Token: SeCreateTokenPrivilege	4512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4512	msiexec.exe
Token: SeLockMemoryPrivilege	4512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4512	msiexec.exe
Token: SeMachineAccountPrivilege	4512	msiexec.exe
Token: SeTcbPrivilege	4512	msiexec.exe
Token: SeSecurityPrivilege	4512	msiexec.exe
Token: SeTakeOwnershipPrivilege	4512	msiexec.exe
Token: SeLoadDriverPrivilege	4512	msiexec.exe
Token: SeSystemProfilePrivilege	4512	msiexec.exe
Token: SeSystemtimePrivilege	4512	msiexec.exe
Token: SeProfSingleProcessPrivilege	4512	msiexec.exe
Token: SeIncBasePriorityPrivilege	4512	msiexec.exe
Token: SeCreatePagefilePrivilege	4512	msiexec.exe
Token: SeCreatePermanentPrivilege	4512	msiexec.exe
Token: SeBackupPrivilege	4512	msiexec.exe
Token: SeRestorePrivilege	4512	msiexec.exe
Token: SeShutdownPrivilege	4512	msiexec.exe
Token: SeDebugPrivilege	4512	msiexec.exe
Token: SeAuditPrivilege	4512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4512	msiexec.exe
Token: SeChangeNotifyPrivilege	4512	msiexec.exe
Token: SeRemoteShutdownPrivilege	4512	msiexec.exe
Token: SeUndockPrivilege	4512	msiexec.exe
Token: SeSyncAgentPrivilege	4512	msiexec.exe
Token: SeEnableDelegationPrivilege	4512	msiexec.exe
Token: SeManageVolumePrivilege	4512	msiexec.exe
Token: SeImpersonatePrivilege	4512	msiexec.exe
Token: SeCreateGlobalPrivilege	4512	msiexec.exe
Token: SeCreateTokenPrivilege	4512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4512	msiexec.exe
Token: SeLockMemoryPrivilege	4512	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4512 msiexec.exe
4512 msiexec.exe

pid	process
4512	msiexec.exe
4512	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exengen.exengen.exengen.exe

description	pid	process	target process
PID 1152 wrote to memory of 3004	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 3004	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 3004	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 4036	1152	msiexec.exe	srtasks.exe
PID 1152 wrote to memory of 4036	1152	msiexec.exe	srtasks.exe
PID 1152 wrote to memory of 2640	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 2640	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 2640	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 2324	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 2324	1152	msiexec.exe	MsiExec.exe
PID 1152 wrote to memory of 2324	1152	msiexec.exe	MsiExec.exe
PID 2324 wrote to memory of 4880	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 4880	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 4880	2324	MsiExec.exe	ngen.exe
PID 4880 wrote to memory of 1368	4880	ngen.exe	Conhost.exe
PID 4880 wrote to memory of 1368	4880	ngen.exe	Conhost.exe
PID 4880 wrote to memory of 1368	4880	ngen.exe	Conhost.exe
PID 4880 wrote to memory of 1540	4880	ngen.exe	mscorsvw.exe
PID 4880 wrote to memory of 1540	4880	ngen.exe	mscorsvw.exe
PID 4880 wrote to memory of 1540	4880	ngen.exe	mscorsvw.exe
PID 2324 wrote to memory of 1624	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 1624	2324	MsiExec.exe	ngen.exe
PID 1624 wrote to memory of 332	1624	ngen.exe	mscorsvw.exe
PID 1624 wrote to memory of 332	1624	ngen.exe	mscorsvw.exe
PID 1624 wrote to memory of 3096	1624	ngen.exe	mscorsvw.exe
PID 1624 wrote to memory of 3096	1624	ngen.exe	mscorsvw.exe
PID 2324 wrote to memory of 236	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 236	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 236	2324	MsiExec.exe	ngen.exe
PID 236 wrote to memory of 1148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 1148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 1148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2328	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2328	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2328	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2588	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2588	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2588	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4340	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4340	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4340	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4392	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4392	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4392	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2148	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2812	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2812	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2812	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 3296	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 3296	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 3296	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4892	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4892	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 4892	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2284	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2284	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2284	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2556	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2556	236	ngen.exe	mscorsvw.exe
PID 236 wrote to memory of 2556	236	ngen.exe	mscorsvw.exe
PID 2324 wrote to memory of 4212	2324	MsiExec.exe	ngen.exe
PID 2324 wrote to memory of 4212	2324	MsiExec.exe	ngen.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\qttabbar-v1.5.0.0b2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6942C0A007E85961132F798F06BF0E13 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4036

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 005BDD4CA3C47D95E4FB7E02929D548E
2⤵
- Loads dropped DLL
PID:2640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3E369BC958666F616486097680533DB7 E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:1540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
4⤵
PID:332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "BandObjectLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 294 -Pipe 2b8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 2a4 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 220 -Pipe 2a8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2a8 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 294 -Pipe 2dc -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 2bc -Pipe 294 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2cc -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2ac -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "BandObjectLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
PID:4212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
4⤵
PID:4720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 268 -Pipe 288 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
4⤵
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "QTPluginLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 208 -Pipe 214 -Comment "NGen Worker Process"
4⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 220 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "QTPluginLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
PID:492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
4⤵
PID:4292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 260 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 214 -Pipe 220 -Comment "NGen Worker Process"
4⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 224 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "QTTabBar, Version=1.0.0.0, Culture=neutral, PublicKeyToken=973461F1CD23D8EB"
3⤵
- Drops file in Windows directory
PID:2732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
4⤵
PID:3860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 248 -Comment "NGen Worker Process"
4⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
3⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
3⤵
- Drops file in Windows directory
PID:2400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578483.rbs
Filesize
199KB

MD5
c42e9f3356a485e83c84ec73007f6dd5

SHA1
171d562d255957c6f6c7a6b89c8e241fac86dfa4

SHA256
e3c2dc8f1536078f939db59422bb251012d538806744879a7c9eb7b6b15dc2fa

SHA512
e83ef0df0e7fea8185f26fb6ce45c3c7063f68a742adee73efc80046f188f62e924a0b647e2c7474f840c6f3cd808daf6d4d631fb2f42749a58386cc2c761dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI42D5.tmp
Filesize
50KB

MD5
bd7f08c994addeca5b609760832e884e

SHA1
b34b3e47ea634fc66372a4bf49dd313a211aa056

SHA256
1549b4ddbd1059f733475d9e1b42715288150c51ccf166a5aff94154b91a8d1a

SHA512
4493f8585326fc259237dd72ae1bf6a54f9986fd0dd29643cdc3eec120918cb86df13e4c1779b515515dea4421fad51d50e6949b2a02d5779eaa7fe355a545e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI610D.tmp
Filesize
67KB

MD5
d54dda22bb374be5ac6862ea757cad82

SHA1
ff2a6710991145c039915869b3887536376b3b83

SHA256
3b727a1a70641abae30bf2d0b3ba1edfcc44b2873364942b9ecd69bf57defb40

SHA512
018fff3bd7f613f8546037c0b7bacb3a0abd35f51f6bdd33f913341196900da350d824a598616147784f01aba1a2ec0d7e6de2bd05964328028d5420361a5151

Download Submit
C:\Windows\Installer\MSI855D.tmp
Filesize
85KB

MD5
5b58382b995125ce824bf396e64bcec1

SHA1
323d5c15b6ffa611c88355aa68d6ca5b92494992

SHA256
c59f6450eb73e5803220e2b75ac8c926fd001eb9ffe4ee8f1f5cf886a70c5f4d

SHA512
69aca6c5b90e3568202af7105cb8fa3e832ffbb9c0bd89652c732165af9d240c45fa93c81da9d6b3c3e4ec6911e19972a63958a323214c212c119ac2dc716b3b

Download Submit
C:\Windows\Installer\e578482.msi
Filesize
840KB

MD5
eb955a2d87dce195b5899c1d40a30af6

SHA1
c85d6f4476b2d01b5457bddc67a037bdf47e8709

SHA256
e0dacd6acb15428d2ee6f068bf2e8979013071fd2ee3ccf4a88f687a06f0b908

SHA512
146ffdafd4f85808503867ca3687c777ac9267f67aa2b1bb169be3b125f9c012c3ab550bfc80fd3684ef912a6fc32ac5fb67f86d2d7cd3ff8f3e78e4b4cfc533

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
Filesize
155KB

MD5
489b74057dca758bb645a09b8cbd0de0

SHA1
d295a5ddeb570062233cadf6c9229313fc55ed43

SHA256
eb4cd522124e5093eb34c952e75493e654521a38a10af03ce57f1cecd7ef45cf

SHA512
3f34dcb8209b2024d647494de6281c8cc7e383101082b9bc485f818ab9007c19de416bc2ae690baa15b3378748ea2abd7728ac7bef304ba24520614bb64c5ae3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
Filesize
155KB

MD5
268fd556ebf955dc7314e04064d5eeb6

SHA1
f29d157e049928e068af8ec17e6e8948ef542753

SHA256
627d7e919d4e87cbaeb17cc12730340acd79893603657cb77035f3a74338af40

SHA512
ab43f843cccb278affc9134f78ff12ab5a7a77f9f49780e8af943c7023a6d650bf7e975497797954b1ca8c06a25d9ac3b6aeb60470d11542184d5a51d6ecf11c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log
Filesize
146KB

MD5
995babc72f744002b5fae8145e9425ab

SHA1
362071d86ac53072232180521a9cd059f92cf0b3

SHA256
f7502b8a08a2cdd146dd835a08151e2aa5f750ca78a736ebd7e629f6f4047953

SHA512
96452417e06e4b695ea33ad1e62bf411b0b56b1f6bd98501232b60f7b1ebfdb671a835c5bf19fb690fb8987b7da4975c2e3f69a956216357d73306abdb9c7624

Download Submit
C:\Windows\assembly\GAC_MSIL\BandObjectLib\1.0.0.0__973461f1cd23d8eb\BandObjectLib.dll
Filesize
28KB

MD5
0488729b655c9fb4d43997db23773688

SHA1
6e899508b6bad3aa94c99f335df50dc14cbcf02b

SHA256
2d5d5ad117b3bd4ee93c36f817e011bcf1330ccf7539d287fc3019dd6a6e1445

SHA512
36b7bc0c07980f375ddf47f6dd723b3f0a458906155a1dd45c5715d63108402ca0ca737824f1bb745de353fd394d98df155db02b0f4fa6f6e1059d20c6da103c

Download Submit
C:\Windows\assembly\GAC_MSIL\Interop.SHDocVw\1.1.0.0__973461f1cd23d8eb\Interop.SHDocVw.dll
Filesize
136KB

MD5
83ab7cc9791e5f9093acc797f1d1e48a

SHA1
3b87bfc09f9f59237c45a260f2837c514f4bc7ca

SHA256
b81c92a3f8a6064d05a9cd9f11c0b58cf2240974435f0f822b7c06231b12c61b

SHA512
5783996199696b03826d62b2d19b8ebcc17964851045177031e7fe265842a5ba10c791e344d7e70016c3118981b6208d5526bf856bc503d9d02195e864d9bd0d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\10df751d5f95f37d9c88b64e1beb8dcb\Accessibility.ni.dll
Filesize
25KB

MD5
d7467485e45b04f8fdcd93ff0a3fa48a

SHA1
7197c9065062ca7f42dbb03ee2f49e14961d3c4e

SHA256
ad553ff167e90219be73541b38b24bfe7367c1814d2c6eb098eedc0042cfd41b

SHA512
97973a483797cdc8db4fada668afeecb5ff46820a19576e2bc795648caa5c3967f64c176389ff66635ecc3357265cd14a2d929d59f45ebb418685317bcbece5f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\BandObjectLib\23b9fe8915c8d4f2962704af239e1ec1\BandObjectLib.ni.dll
Filesize
51KB

MD5
b4b9a1418e7633bed00ea1c46665a9f1

SHA1
6f6431bcbed58148d3bb961dd814401c68c587bf

SHA256
9a91b4280d3e33a65e276ae40f00c6a72d1c5681bfe55569e8b2f169ae603723

SHA512
7fa2a56e6bfbc44b74f426fc10278e408087aa29986818c8217c3303596356ff5cad1c3fe66a988951f67e60fbd5b0858549961aeb7dab1f4b0e0b2cb8ba0cda

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.SHDocVw\bd1d6d9d345cb930f5e34d8a2170b786\Interop.SHDocVw.ni.dll
Filesize
336KB

MD5
99ff6537fe4e5768c5777daef2a45978

SHA1
c717151bd4a49f6b0b388e00a250125926b5871d

SHA256
572bf1a6686e49d7d01e262893b0e4d1a053cdc08b758550650b3154b6795b24

SHA512
95c873335bf5ea604c62c9f4778e66e29e245c5fda6df2cfa33a9f38ca2452b97b43ab618b8d7873bf2cc148a849caecede4951b5604cd215c8870a846298d3a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\QTPluginLib\b2763391993e536947c1bf73d3d8edd3\QTPluginLib.ni.dll
Filesize
68KB

MD5
577539339941c58e8167cf1a328f0cc6

SHA1
a2cd69fd5413c9703b9d89cd5ca5f2c91598be46

SHA256
dc8c0c6f3c478e84bcba895264efa4bac2a8be5cc5c16fb71bf36c4d66e2b760

SHA512
5bbeddda7c7a3a0a5566c1d21e8cb1d754c128e42ce68d67ef75d51151b9d07dbbb0c01c363ceafe428fd13b44b4b75aa0108e9d7445446e240857852630ee8d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\QTTabBar\088266f1c42ef1ca9fa5bc67b517cae1\QTTabBar.ni.dll
Filesize
2.6MB

MD5
2aad024e9317e4dda066c90c9a93c91a

SHA1
51a9c276e15f6dff3e37d39607570a13e35a945f

SHA256
234c7af63ccda72ac9700e502e7c0740b8f585136af09ef561710e495784895c

SHA512
79937a91240d83eeb629ada372b956763f856e3b08a10ed9165bf5e64f9c1b31cc16fc8234c9b7ea4951847637f869c348c8d1ebccb4479cad5f9ef842437d1e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ecdb24396bcb9857fa0de5e002471e6\System.Configuration.ni.dll
Filesize
958KB

MD5
1cb62f3d8911973b06103dc096991c11

SHA1
ab5c4a252d2addb7fa040b5321046ceab58becc3

SHA256
9a49cc144445723e87d94a3a9e9d38eb5f79a26895b9b47538060ced3b8b40aa

SHA512
ef1b5ceac3662a1717a60d9f930534a8c72343d6484270d3bf97052f9a6388ab706b4aff694453b306dfa8fab3989536827286dfc3bbb1ff6367386a297b5a41

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\9c7a24561961e5eadea2dc93bb7c8492\System.Data.SqlXml.ni.dll
Filesize
2.4MB

MD5
aa0ddbf341004af7a4dd01c116580968

SHA1
4159cae44b546355f60a3b3eb3cba96004637380

SHA256
38046b4dbc84a0af01ef479b6b54011fd4392fee5cfab6caa17bbb88fa7977e9

SHA512
69e2f249e059f070b7803072c691db85db056d5dfd40377ff27683e75c0893f4af45629cef360b9d21be5a936a1299b6f5671e65f5216fc34dceaa787b1ee15d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\324e8e15d7b35ab06f77270d904a5def\System.Deployment.ni.dll
Filesize
1.6MB

MD5
fb5ac6b1c0ce8774b9be3c278f2e13e4

SHA1
609a3915a4452df69d80d9acf1d94a9a23483ef6

SHA256
24d43b799b9e4cd2605d5c69865753c67600195d6622cfb1a1960547b9ba2518

SHA512
8356992a5415348c20fb5e8e4f28b23ed4923ee74fb8ca4c31725d1ead5d0e24bef303954b8d991e80533606a255dd75c01f59bd28cf6ed89cbda9aee8894fbf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d08771e80605c11c9fd171dc4e549e7d\System.Drawing.ni.dll
Filesize
1.5MB

MD5
88d18286009d006166fb202312f7039b

SHA1
4bcac7df96a6a04f0e9e32270756c5e8e06a72ff

SHA256
cf510e0fa61e87d59ed569a713b9b4e49ac75695cae3b22ef2ac24eea2b569ad

SHA512
3df4ca1c5301df11db320964a1203fa7f6087f499e50e3985a2f9cbc356c210a18ec4b85309d61f68c957b57ec0226bd3ad75e4e22e4e4900bae4aba7ad934aa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9dfe2dfe6827a2ae6da4f06e0a04402c\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize
303KB

MD5
4c947dd62b018e5c81648ae4bde2db59

SHA1
81b30a695bf5aeaec4fa15cc97facb1acd171acf

SHA256
2d78491eb040d73c25b607b37f189f55a58efd90c0140fe168d442f02386ba1e

SHA512
8dce80408eb831b490a8f119b236919bdf50247d8740153fb696e5574ed34a9c5a76aa15dc0294029fb45f024dccb360865e68730d895a6e8b6fceb7dad178db

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\3b6d7bf601438839b52ad3eb480061f5\System.Security.ni.dll
Filesize
705KB

MD5
6c9ca33de94dcdb888550b432c1d9632

SHA1
24fa19b9b96b880dd0c61c5b69bb4dce1161647c

SHA256
beec57e255e4db1ead56a3fb147a8407352580b0e2a3e95abea569dac62ec511

SHA512
5dd2deff15619bf401c1a0c2c02c39db750d0fee21128e4dd36fcc785d90a407b9c60d2375fe60c08c3d41a995e90365138a76f2434b5290c8c68eeb4a741503

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7e3c2dd0319b33bd46951a923b6c0bea\System.Windows.Forms.ni.dll
Filesize
11.9MB

MD5
e2569429243b123bca263865b75bcd04

SHA1
1f5b43c8257754ac1d6ced9955e062afa2b3f886

SHA256
0801188d8398bb1611e4ee1178a38ef34b3571195261ca5dcf94bc2ae3b75a7b

SHA512
d7d7199f0bf14d0cb3c347aec6806aa0d3d2e8748c87ac006eea3d385a0b1274bed76e3e6cac0ac66ef032b8c5d47cfc18f7e8e6e43d11cf5c3ae7ae7fbbffb8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b37a4f2d7acaa0e74eae1b056fa7dfc6\System.Xml.ni.dll
Filesize
5.2MB

MD5
c4b3a3cd8c8b8dcb27130915bc3b988e

SHA1
26a294f63ad52b65059251473e09d90c51b56f2b

SHA256
f83a83b6cdc9c95a183b0cd841a6391db263fa27c44d57ec0fe7e577af158718

SHA512
9f543eca80e2463d7deca3001d04380e9f15580d4951d7f3954abdd5f8a4f5879c807329de7d288db950caca36f5c417c0d1d0783637b2cc270661dfe298ecaf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\e176a6d5cd5cdfd653e8096aa31617f8\Accessibility.ni.dll
Filesize
77KB

MD5
a2e50fcb10e8525c93dce6c99fbe43ac

SHA1
09a2d26a808f1c89b3673ca18c039dc59d26532e

SHA256
70f98e52fc8bf0321b9562cccd5ab2f3b5062e9820909a3a9ad2c424c7b36bc3

SHA512
92201aa57506ee3bae3c8e590806c6f01e79166df86c956d656b9b829cd17a7c550bbc2ab7659bd380a6f275324845586352078b480ab5c4212b72819e096071

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\BandObjectLib\c9dbb8e1c624ff666dcb4b63ab148b20\BandObjectLib.ni.dll
Filesize
90KB

MD5
c055c8a8a11ae0e764a8ea83cabd2ade

SHA1
96187011c15ca59b26a11e4cc72c1d6e98a5ee66

SHA256
3591e03982d95c3006acf75187d45fe99baf7206f5c116841c44e4eced671ca0

SHA512
507a0fe2ec20a9e0e9e6b1cd879d61d77f99e38d042ed7a28692814325eb6e87bf7752de53cfcb1dd44a6bcadc462dfae72c44ed540ae0944daccd7f3a4819f8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Interop.SHDocVw\7307b3dd97ffb95789cd98fbff1974d4\Interop.SHDocVw.ni.dll
Filesize
738KB

MD5
cdbf24191e91a0d6d4967703625938ce

SHA1
e216ca287b73edb1c0f2b26535645c1626ec3658

SHA256
a3567622a28cfa3df293df0e9297a4c07eccd25a73d104fa829e945e46e91bce

SHA512
dc6ff58a07ee40c16f25b41f201c0c126503c53feea61cf9bbf6b185c928e65c4be86124e94217c55982f4fdd3158cc5c0cd3c9045bd4af6505e3573fd0f1391

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\QTPluginLib\0aafe72f12f3384ee662c819dc8681a5\QTPluginLib.ni.dll
Filesize
165KB

MD5
af6cd9c21c045fc76ca8e790058fc90d

SHA1
a649fc6e5957af99356b32a7ecd739d93dc784b3

SHA256
a23b9fc65932a9c552e4229896e0ad789c7bc15922020e22276f1edd45b57934

SHA512
75e5f5a265999947a85de4b900e87b37a6cb34c8ad9686f3cd849e0a05652376e9e7fc0b958f19bed9c1936a3e4cf6bbde3dffe6fba5a64047d10965a5a76555

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\QTTabBar\58409835d5267f6f2cd4ba99a989f95a\QTTabBar.ni.dll
Filesize
3.6MB

MD5
c32ac1156d313261279093a201145388

SHA1
cb2f74e16e67947328fbf2735acb81d941c6a72f

SHA256
7d99087724dfd0d1825325f681244c5a5930a421aec4bdb2a397334ba0408bf7

SHA512
1245064824b1ca458cb85736ded2889ee16572eac48632d17ebd80ce47416810ff463f82b0c8d18a0c40ad3870c617d9a3240e4ff485a7a95cca0604dc97e6dd

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\e4db39da8a3b5543110df6ddd38ffeeb\System.Configuration.ni.dll
Filesize
1.3MB

MD5
060d36538a1c937e32943af480971b3c

SHA1
657c94ac480653524461015bdfe761dd212c31d8

SHA256
6fbd851b513860f8354ed70c447ebb5f16754be86057c87dd6d46988f9507c08

SHA512
4b8ff37bb1a9a43d672782f3fa3e9ace68a444bb71d8088842090e8c82fa5f2cbbfc2bdd12192af7949e269d8b957cc0bdc283469c15624efa47e4e1197c03ac

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\466db48c0235f1d6a651e870b94d9391\System.Data.SqlXml.ni.dll
Filesize
3.3MB

MD5
7863dad6521ae06d91567a415e4476d2

SHA1
54325d3e8fc1e2b698c12f70fa3ab85ef4b5c523

SHA256
0b038ffd06d568adc200d6a8909d3a05c3f66580ff13db3590797fe674825101

SHA512
9d4ebb8490ba920d833947dbda98a830c82e1a94b98091f9fe8768de037e33334e1e27b3b31e88470a87a5c8357b808e1a6c7a77a5e1fe58b11990e00ae473c9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\e440b98295230d470860686828cad356\System.Deployment.ni.dll
Filesize
2.2MB

MD5
056f22728c8c630c4034d8b07936ba1e

SHA1
0a9ed151742ac74d745f4a2a9f8891a191f29065

SHA256
ab1f07fa49a944c47b29d52ccaf1b926985ed230c2ba78cbbbcd578231a5f9e8

SHA512
4bab3240e6e6fb2ddcf5fde7be516cf64c0c1882ba5c9da7163b8174d3883d4985c52c25a00f0b4e0dfd717980713775a614024afbeebeb6c5ec8fdeba22619f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\c7e28b9bc4375c076434dce6fd7bf657\System.Drawing.ni.dll
Filesize
2.2MB

MD5
d9c40ec0dadd4e902bf4e862c42a8411

SHA1
2527b3e1f404ec3030f6553cf54f466830c4b95d

SHA256
4ce12ed8daef863e9aa208a1e66d8df449306bfa417f0beec43da0b545cbb23d

SHA512
9b54ae2242080ab5b15a9c56e4c1991a9fa99b9df184835a5d7a0c166d68cc6af7316473bef186369d1d411c55d4b5631b848647327357bea181d3000708d918

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\73d2d7d094c2c3328313c73b10aedb97\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize
387KB

MD5
4ae40df8d34370140a381717ab50ee43

SHA1
77e48136dade400051a769dbcfc00df53c418a26

SHA256
229f36348993d723444e3efd8f7271a4faa5e1076e6d22ec74f0e81e0a988c44

SHA512
b9f1debd3eb7ced28f864e5adf271b4f3a999f975b267112dbc4e58a7ecec8e4246f6a9093f576844f2365ce41de380e0a24838b999db345c7a6b236de647133

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Security\170c3a6a84f7509ab63e98937e4652cb\System.Security.ni.dll
Filesize
960KB

MD5
6f61c6adae2b50681325a6dfddb29d62

SHA1
c406bb31cdb08d38694efaf93b04cbb4f081d001

SHA256
2b51e20e4debe5c2e697e032617b7d7d6d4251508e1423019e24bb851efe6faf

SHA512
ed49b6cf1417d1bc9508ab586829c8437bda7f1bb572bfd06b7ebab894cafccadd653ec86b13052dff4fb19436c3e0e498f5541213c16fb653d2574ed13723d6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\8207c013c0f0da13624762755d9e7c4e\System.Windows.Forms.ni.dll
Filesize
16.6MB

MD5
796a9ddd51615383d3fff96b38c6ddb9

SHA1
52bbe495b840a58bf0ea333ad2f685da8803ae5a

SHA256
ba71dd4860e1fe1fbd91774f03cc637d7b890c610627280b41d4e29f15070457

SHA512
aeff4108a6727093a59b12bace8893a6a332a950199537a251aac60a2e232fa0ca12bf51fc8223474b06f9a9fdcd5fa5b4fc678fe1890b15777f472bd20975be

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\c14588e2f9efa4d594f46143f50e7bcf\System.Xml.ni.dll
Filesize
6.7MB

MD5
b8b08ddba209e4919d9d3a08f565c29d

SHA1
071f0742629bdc4218416180a2a73b5fcf8b54f5

SHA256
536e053fa013c1999114139ea175c5622ac9ba98c39e76cb94537a7eb82087f3

SHA512
9cf3e5cab9f994b4ae866cb3ea3cd7bb54a4dce3c033355355951a7722e28d94a1d05e3f55ed0e35d10edcf3680a57afc0ac8db37eba4e9e0f7b4c66486e7724

Download Submit
memory/332-81-0x0000029140FA0000-0x0000029140FC6000-memory.dmp

Filesize
152KB

Download
memory/1152-31-0x0000020F18460000-0x0000020F18514000-memory.dmp

Filesize
720KB

Download
memory/1152-28-0x0000020F16CB0000-0x0000020F16CBC000-memory.dmp

Filesize
48KB

Download
memory/1152-25-0x0000020F16CA0000-0x0000020F16CAA000-memory.dmp

Filesize
40KB

Download
memory/1152-22-0x0000020F16FE0000-0x0000020F17006000-memory.dmp

Filesize
152KB

Download
memory/3860-312-0x000002227D390000-0x000002227D444000-memory.dmp

Filesize
720KB

Download
memory/4068-226-0x000001A4F6E20000-0x000001A4F701A000-memory.dmp

Filesize
2.0MB

Download
memory/4292-293-0x0000019ABCC10000-0x0000019ABCC1C000-memory.dmp

Filesize
48KB

Download
memory/4396-218-0x000001A166620000-0x000001A16668C000-memory.dmp

Filesize
432KB

Download
memory/4720-203-0x000001B12FE60000-0x000001B13032E000-memory.dmp

Filesize
4.8MB

Download
memory/4720-202-0x000001B1169A0000-0x000001B1169AA000-memory.dmp

Filesize
40KB

Download
memory/4720-205-0x000001B12F290000-0x000001B12F2D6000-memory.dmp

Filesize
280KB

Download
memory/4720-206-0x000001B1169C0000-0x000001B1169C8000-memory.dmp

Filesize
32KB

Download
memory/4720-204-0x000001B12F170000-0x000001B12F20C000-memory.dmp

Filesize
624KB

Download
memory/4720-209-0x000001B131670000-0x000001B131728000-memory.dmp

Filesize
736KB

Download
memory/4720-208-0x000001B130F70000-0x000001B131042000-memory.dmp

Filesize
840KB

Download
memory/4720-207-0x000001B12F3F0000-0x000001B12F414000-memory.dmp

Filesize
144KB

Download