Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 12:31
Static task
static1
Behavioral task
behavioral1
Sample
cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe
Resource
win7-20231023-en
General
-
Target
cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe
-
Size
1.8MB
-
MD5
702925aee1a4d35f7a780d41d1e6c3cf
-
SHA1
4ed597a89f89081d4f3fd70447a52420dc5fe4c9
-
SHA256
cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f
-
SHA512
91edd4b1776ed87e6c6d5b5950db5c6d8768a6d16b5a8cf8a2ce6d39c9611b2a3230287b7fbef0b195ef9414cee31c3b5493be00875055cde099b4a3b5fdcc48
-
SSDEEP
49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSpxlMPdlR8v4UC0Eg6ET7M/I:MKlBAFPydSS6W6X9lnWl2/V0cETQ/I
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 2780 alg.exe 2540 aspnet_state.exe 1484 mscorsvw.exe 2692 mscorsvw.exe 1936 mscorsvw.exe 1636 mscorsvw.exe 820 dllhost.exe 2368 ehRecvr.exe 292 ehsched.exe 3064 elevation_service.exe 2588 IEEtwCollector.exe 2560 GROOVE.EXE 2744 maintenanceservice.exe 848 msdtc.exe 836 msiexec.exe 2168 mscorsvw.exe 1408 OSE.EXE 2356 OSPPSVC.EXE 1900 perfhost.exe 1068 locator.exe 2948 snmptrap.exe 1756 mscorsvw.exe 3040 vds.exe 896 vssvc.exe 2292 wbengine.exe 2336 mscorsvw.exe 688 WmiApSrv.exe 1680 wmpnetwk.exe 2412 SearchIndexer.exe 2424 mscorsvw.exe 944 mscorsvw.exe 2924 mscorsvw.exe 2680 mscorsvw.exe 1212 mscorsvw.exe 2884 mscorsvw.exe 3012 mscorsvw.exe 1832 mscorsvw.exe 1620 mscorsvw.exe 1956 mscorsvw.exe 2884 mscorsvw.exe 1072 mscorsvw.exe 1608 mscorsvw.exe 2252 mscorsvw.exe 2660 mscorsvw.exe 992 mscorsvw.exe 2316 mscorsvw.exe 2176 mscorsvw.exe 2248 mscorsvw.exe 948 mscorsvw.exe 764 mscorsvw.exe 2824 mscorsvw.exe 1992 mscorsvw.exe 2068 mscorsvw.exe 2360 mscorsvw.exe 2056 mscorsvw.exe 2932 mscorsvw.exe 2984 mscorsvw.exe 2368 mscorsvw.exe 1176 mscorsvw.exe 972 mscorsvw.exe 488 mscorsvw.exe 892 mscorsvw.exe 2280 mscorsvw.exe -
Loads dropped DLL 37 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 836 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 752 Process not Found 2932 mscorsvw.exe 2932 mscorsvw.exe 2368 mscorsvw.exe 2368 mscorsvw.exe 972 mscorsvw.exe 972 mscorsvw.exe 892 mscorsvw.exe 892 mscorsvw.exe 1684 mscorsvw.exe 1684 mscorsvw.exe 1052 mscorsvw.exe 1052 mscorsvw.exe 2284 mscorsvw.exe 2284 mscorsvw.exe 1072 mscorsvw.exe 1072 mscorsvw.exe 1116 mscorsvw.exe 1116 mscorsvw.exe 1336 mscorsvw.exe 1336 mscorsvw.exe 2916 mscorsvw.exe 2916 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Windows\system32\dllhost.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d9ec5da2ea1ae02.bin aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\GoogleCrashHandler.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{09AF65C3-6C54-42BA-97FD-BF91F7EA3A54}\chrome_installer.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_sk.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_lt.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\GoogleUpdateSetup.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_es-419.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_fil.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_ru.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_is.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_ur.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_bg.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mscorsvw.exe File created C:\Program Files (x86)\Google\Temp\GUM8891.tmp\goopdateres_et.dll cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe mscorsvw.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC4A6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCEF3.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{46641891-2932-4E5C-8A5E-196ABDAA0918}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB28D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC958.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP977F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC85.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe SearchIndexer.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBD95.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0a6996ff60bda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a04ccf79f60bda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060ad3d72f60bda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{1958BC44-CF87-4CE3-A70C-3DB7BC05BE1B} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B} SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2520 ehRec.exe 2540 aspnet_state.exe 2540 aspnet_state.exe 2540 aspnet_state.exe 2540 aspnet_state.exe 2540 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2412 cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2540 aspnet_state.exe Token: 33 584 EhTray.exe Token: SeIncBasePriorityPrivilege 584 EhTray.exe Token: SeDebugPrivilege 2520 ehRec.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeRestorePrivilege 836 msiexec.exe Token: SeTakeOwnershipPrivilege 836 msiexec.exe Token: SeSecurityPrivilege 836 msiexec.exe Token: 33 584 EhTray.exe Token: SeIncBasePriorityPrivilege 584 EhTray.exe Token: SeBackupPrivilege 896 vssvc.exe Token: SeRestorePrivilege 896 vssvc.exe Token: SeAuditPrivilege 896 vssvc.exe Token: SeBackupPrivilege 2292 wbengine.exe Token: SeRestorePrivilege 2292 wbengine.exe Token: SeSecurityPrivilege 2292 wbengine.exe Token: 33 1680 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1680 wmpnetwk.exe Token: SeManageVolumePrivilege 2412 SearchIndexer.exe Token: 33 2412 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2412 SearchIndexer.exe Token: SeDebugPrivilege 2540 aspnet_state.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeDebugPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1936 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 584 EhTray.exe 584 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 584 EhTray.exe 584 EhTray.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 892 SearchProtocolHost.exe 892 SearchProtocolHost.exe 892 SearchProtocolHost.exe 892 SearchProtocolHost.exe 892 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe 2096 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2168 1936 mscorsvw.exe 45 PID 1936 wrote to memory of 2168 1936 mscorsvw.exe 45 PID 1936 wrote to memory of 2168 1936 mscorsvw.exe 45 PID 1936 wrote to memory of 2168 1936 mscorsvw.exe 45 PID 1936 wrote to memory of 1756 1936 mscorsvw.exe 50 PID 1936 wrote to memory of 1756 1936 mscorsvw.exe 50 PID 1936 wrote to memory of 1756 1936 mscorsvw.exe 50 PID 1936 wrote to memory of 1756 1936 mscorsvw.exe 50 PID 1936 wrote to memory of 2336 1936 mscorsvw.exe 56 PID 1936 wrote to memory of 2336 1936 mscorsvw.exe 56 PID 1936 wrote to memory of 2336 1936 mscorsvw.exe 56 PID 1936 wrote to memory of 2336 1936 mscorsvw.exe 56 PID 1936 wrote to memory of 2424 1936 mscorsvw.exe 60 PID 1936 wrote to memory of 2424 1936 mscorsvw.exe 60 PID 1936 wrote to memory of 2424 1936 mscorsvw.exe 60 PID 1936 wrote to memory of 2424 1936 mscorsvw.exe 60 PID 1936 wrote to memory of 944 1936 mscorsvw.exe 62 PID 1936 wrote to memory of 944 1936 mscorsvw.exe 62 PID 1936 wrote to memory of 944 1936 mscorsvw.exe 62 PID 1936 wrote to memory of 944 1936 mscorsvw.exe 62 PID 1936 wrote to memory of 2924 1936 mscorsvw.exe 63 PID 1936 wrote to memory of 2924 1936 mscorsvw.exe 63 PID 1936 wrote to memory of 2924 1936 mscorsvw.exe 63 PID 1936 wrote to memory of 2924 1936 mscorsvw.exe 63 PID 1936 wrote to memory of 2680 1936 mscorsvw.exe 64 PID 1936 wrote to memory of 2680 1936 mscorsvw.exe 64 PID 1936 wrote to memory of 2680 1936 mscorsvw.exe 64 PID 1936 wrote to memory of 2680 1936 mscorsvw.exe 64 PID 1936 wrote to memory of 1212 1936 mscorsvw.exe 65 PID 1936 wrote to memory of 1212 1936 mscorsvw.exe 65 PID 1936 wrote to memory of 1212 1936 mscorsvw.exe 65 PID 1936 wrote to memory of 1212 1936 mscorsvw.exe 65 PID 2412 wrote to memory of 892 2412 SearchIndexer.exe 66 PID 2412 wrote to memory of 892 2412 SearchIndexer.exe 66 PID 2412 wrote to memory of 892 2412 SearchIndexer.exe 66 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 2412 wrote to memory of 1920 2412 SearchIndexer.exe 68 PID 2412 wrote to memory of 1920 2412 SearchIndexer.exe 68 PID 2412 wrote to memory of 1920 2412 SearchIndexer.exe 68 PID 1936 wrote to memory of 3012 1936 mscorsvw.exe 69 PID 1936 wrote to memory of 3012 1936 mscorsvw.exe 69 PID 1936 wrote to memory of 3012 1936 mscorsvw.exe 69 PID 1936 wrote to memory of 3012 1936 mscorsvw.exe 69 PID 1936 wrote to memory of 1832 1936 mscorsvw.exe 70 PID 1936 wrote to memory of 1832 1936 mscorsvw.exe 70 PID 1936 wrote to memory of 1832 1936 mscorsvw.exe 70 PID 1936 wrote to memory of 1832 1936 mscorsvw.exe 70 PID 2412 wrote to memory of 2096 2412 SearchIndexer.exe 71 PID 2412 wrote to memory of 2096 2412 SearchIndexer.exe 71 PID 2412 wrote to memory of 2096 2412 SearchIndexer.exe 71 PID 1936 wrote to memory of 1620 1936 mscorsvw.exe 72 PID 1936 wrote to memory of 1620 1936 mscorsvw.exe 72 PID 1936 wrote to memory of 1620 1936 mscorsvw.exe 72 PID 1936 wrote to memory of 1620 1936 mscorsvw.exe 72 PID 1936 wrote to memory of 1956 1936 mscorsvw.exe 73 PID 1936 wrote to memory of 1956 1936 mscorsvw.exe 73 PID 1936 wrote to memory of 1956 1936 mscorsvw.exe 73 PID 1936 wrote to memory of 1956 1936 mscorsvw.exe 73 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 PID 1936 wrote to memory of 2884 1936 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe"C:\Users\Admin\AppData\Local\Temp\cf6a011cab80d671e4f7c3b9d631d5a6acdb974512339115ebe1295de6089f4f.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2780
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1484
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2692
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1f4 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 26c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 268 -NGENProcess 274 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 278 -Pipe 1dc -Comment "NGen Worker Process"2⤵PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 270 -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 274 -NGENProcess 280 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 284 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 27c -NGENProcess 294 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 298 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 29c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 278 -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 26c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2ac -NGENProcess 280 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 2b4 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c8 -NGENProcess 1c8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 250 -NGENProcess 2d0 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d0 -NGENProcess 120 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 120 -NGENProcess 11c -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a0 -NGENProcess 2dc -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1f4 -NGENProcess 2e8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 1f4 -NGENProcess 1c8 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e8 -NGENProcess 2f4 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 1c8 -NGENProcess 2f8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 1c8 -NGENProcess 11c -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 300 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 1f4 -NGENProcess 11c -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 1f4 -Comment "NGen Worker Process"2⤵PID:1084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 11c -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 1c8 -Comment "NGen Worker Process"2⤵PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e0 -NGENProcess 2e8 -Pipe 310 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"2⤵PID:800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 314 -NGENProcess 320 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 318 -NGENProcess 320 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 11c -NGENProcess 324 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 31c -NGENProcess 32c -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1176
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b4 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 240 -NGENProcess 1cc -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:820
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2368
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:292
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:584
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3064
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2588
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1408
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2356
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1068
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3040
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:688
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2085049433-1067986815-1244098655-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2085049433-1067986815-1244098655-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1920
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5d9bb8ce7e354ea9c9ff487cb5e2d9cc7
SHA150401080bf8864fc059bad56dca7c9e3a01155eb
SHA256dccb21b306a707946008601a126476c7a75009294af664c296c0293f17ea1499
SHA512972123f699e6e6005f3e02d4848788376224e7ce1d7a828d79efa059fc70d2698fd80a4c8cf068c3a4ab7a8262ddd49ff91ac77aa09c921119eedae3d3914216
-
Filesize
30.1MB
MD57f55a955d0b01ebbddd0fd3fd72686ea
SHA1e6d1bd9aacd5772a051865fcfb1428b1354a47f0
SHA256b9cf5741c2ecd1459d2fc25092598a157e1370594d876bcb389db98f0cd2017a
SHA5123f5496089678f24442d6c60a63cbcc20b6d4475ab3b67da1120e2275292c2f39b76972990cdf371ee0fca78e5e6e47a4955824724ec9b68d0c8a6f9ca63cd86e
-
Filesize
781KB
MD533d8ae22cfdbe34bcc792b37eacc5632
SHA19ba589c99bcc51d0a62bc1d5fe84d7e0faed649d
SHA2562a3c445fe7e4ba8f610a01dcd3331287187ac6912d968e1dcf423d0416941805
SHA51241637590f3df4362e7e3f18f5f904d17bb29ff182d937ad845c0ac813ed3396dcdc59f33d581c0085b075a9d25b696b2ec24d17bb0a47255b27f64a88d385c78
-
Filesize
5.2MB
MD555dde6b4d2b7474dfd82d3fc90a78619
SHA198f29ec232357f2a2b50a1f47c2da25890c9e40a
SHA256e4e52052cef339a7ff94c932b177a449249958837e283c4ec21693d09ac98d62
SHA512e04ce80e99dd6099c9ec46630237cc1b5c696fd97d65d12ffdb827bf329fbd3aab1184561d97cd0b3348e70e2b9c3f17014d2ec473e98a53817608d34ed93428
-
Filesize
2.1MB
MD50f34a0553315ce87e3035da858bb3073
SHA1edd062c406bf4da5c7e2d14423adf073a73789e3
SHA256c5f5fcc3efd71c068cdb9c416775ddd1571b32ba891c5f58f196cab8b0f7edc2
SHA5128a0b1678f93b47ca587d89bfbedc3842e62433d56b29e3f35c8a671cb5180a5ced489ffd4cb262dfa23c0c2d50267eeadd30b19146364dfa33761ae4359eba72
-
Filesize
2.0MB
MD5caa4d74cb4a0b80a1f1900d497077b60
SHA14f960df02215b0e9efd6c32103a69404f4579858
SHA2562ed5bebfb1f186b1171bcbdca80aa5471ab20f7055bd6cb6e0806e04efcd4484
SHA51227f0a0ef16cbdc814b3e36f13345d70e2415c3f812d03cfae73b67c11be378544d10dcfca2a5ad8557bfd89dd8da13c79d7521dcc93c85399617f36cd48da762
-
Filesize
1024KB
MD50431dc83ba0a1f0461d0669a3c3fb3ce
SHA1f90bfeed24c7e4f5efad08d715b9df3c8ca32504
SHA25661523f68dec2ff38561f76e3edeb18d5c2e4eb432017a4e329058bf2d2042149
SHA512074934dee0341c3e26c1b88f70a9d3bb9dae19560e66e8e1cd86c654fd084539f1bf280f95a1f93395abaa0abd896aa42311a5ce4790a8d273041ca2df16ae1c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
648KB
MD579357145f004a855420a80bac492ea58
SHA12239d6be452d84e527b099ba9aca3267e064fd3f
SHA25657395c3a99c20e2bb8f8ef4b5b09a2daea703d42ba3ca371093e03b6cc3beb52
SHA512525d975871972a0503052d8f3d94ed4cb9e80f8c5ebffbde528ae9ffa67c77c6507f86b864bd3ad2a3b4da0d5b413134bfb7d7a88ad52d7d1c963ad431b9555a
-
Filesize
648KB
MD579357145f004a855420a80bac492ea58
SHA12239d6be452d84e527b099ba9aca3267e064fd3f
SHA25657395c3a99c20e2bb8f8ef4b5b09a2daea703d42ba3ca371093e03b6cc3beb52
SHA512525d975871972a0503052d8f3d94ed4cb9e80f8c5ebffbde528ae9ffa67c77c6507f86b864bd3ad2a3b4da0d5b413134bfb7d7a88ad52d7d1c963ad431b9555a
-
Filesize
872KB
MD5255d2c3eba4707e8c6bbdfd0af6eb909
SHA15fc6510ed7057480d91fd2c79102dcb90203a9d9
SHA256c7cf9836dc62c576debea973c1a2c3fca9e9d4e024ee21113cf32b8fefd49e9d
SHA512ce5ef9d722ca279ece3372613fd879ebd5bcf2b4d82d5ce10786f45d6aa795038a2ef927a4873b56a65f0cf982eb20e8c5c221c4153a5559aefc50d01899ec94
-
Filesize
603KB
MD561b6f8cefb8de3e40e6b4aabdcf83116
SHA1e8fb1df4d21c998c9d64a10adc0b73ca309c3235
SHA2562e3b3bb880e9147b7e58c39c367c2826ff4fcd738f87dc595bdcad3edbe4b124
SHA512b0ec17a526e121988df8e67b17d3fa4a0465c41d46521e21071bc0d9c81e083da6332bfc5084dd596b5489189843b67fbc8c61550a4a63523221ecccdb776942
-
Filesize
678KB
MD50fa84a70539e054a91719d6f5d333f8a
SHA120967364487158f89d043c4b8a651cbe5f5ca795
SHA2569aa918850dbb4169428257ccd6dfe09a0f1bb40fef81e3a3bafe29f0df22b880
SHA512f8bc4f2106e22ae0e98f51dcad5a6e14a9d7bc1db95bf448398ce6570d0ef0f64943f1b81921f7e04a7005a76319b7bb4ff0de9571483db072378a3a2d04a3a7
-
Filesize
678KB
MD50fa84a70539e054a91719d6f5d333f8a
SHA120967364487158f89d043c4b8a651cbe5f5ca795
SHA2569aa918850dbb4169428257ccd6dfe09a0f1bb40fef81e3a3bafe29f0df22b880
SHA512f8bc4f2106e22ae0e98f51dcad5a6e14a9d7bc1db95bf448398ce6570d0ef0f64943f1b81921f7e04a7005a76319b7bb4ff0de9571483db072378a3a2d04a3a7
-
Filesize
625KB
MD514516677a5be04627b88f833cc3a5d09
SHA1ec1c29ecfe3cdde9a39656d111bdb0d720581b0e
SHA256b0c8ccb91fd774c45c711e6c5436fddb442249b08f1d6fbe391fd2c42fb19279
SHA5122d397fe1f8ce1f86f5ae12bac5adece508495d0066db192faccc1032f288152e591dd4c0270c1f5e7e08d2b272fc018677dc938d66f8b9f2cd79c520de3ea1af
-
Filesize
625KB
MD514516677a5be04627b88f833cc3a5d09
SHA1ec1c29ecfe3cdde9a39656d111bdb0d720581b0e
SHA256b0c8ccb91fd774c45c711e6c5436fddb442249b08f1d6fbe391fd2c42fb19279
SHA5122d397fe1f8ce1f86f5ae12bac5adece508495d0066db192faccc1032f288152e591dd4c0270c1f5e7e08d2b272fc018677dc938d66f8b9f2cd79c520de3ea1af
-
Filesize
1003KB
MD505ae697dff5ad2b9aeb85a43c3afa6b0
SHA19a97c96c12c19b6c0df9fda9b543b39e5f16e6ac
SHA256ec82e7aa24fa0ae21937b718a393d0cacf56bbed5122d423f2515c99135ebc05
SHA51200036d4867c20cf741bb8e53ba27690f9bd2212558de37ee278c1ba640f820189cdbbcccb98f21a147511802c9e79a116ccb69c2bb4748f183365d45e8a59dbc
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
656KB
MD5728f06dd9c9dd831cd9f40e5e38ac02e
SHA1cac2d37dab4908aa2a498b652ecc54479b7dd57a
SHA25663a4f921e51e3bdfdbe9c323d96399409ad0042cb32e1a6a8306402c7dc7eab5
SHA51280a510ded32479b9018c83b7361eca46754fac79ce8918a4d74ef17ca7a9ff05f278197b794febb5bc7420e2d0b2cf0ecb3c2fb6e60009be5e9f043d301bff1d
-
Filesize
8KB
MD571cae0513ce57c15d33aa60b6a3e6cc7
SHA1a21f5a5ad30a23fc5346f7d9a2429285c83f9a8f
SHA256caf68372db4d2c556125889cc42b7521819a4551ab7c921061222ea644284629
SHA5125253a07f77ea692bc70a1c03b9bd85cf294eb32f65726a8a522b01ed93700a3649c10b5bb845f021d266dafc68fd2d5689468b1e5fcd35a5e96712c01bd8e777
-
Filesize
587KB
MD5786477b9df96e0eed20d80d2b2dbda44
SHA143d82d5149d23e706bf4ff765ef8694070b2e0ca
SHA256f57a6503cbd8375375851fa0756a41051c90c4eb9f44ababfc8ee26f082289a2
SHA5126f1938a5c040fc4d1fdcc2f57698630f116e820012297cddb4634f4eff219234dff0e04faa6989a9aa96951cdc106f64017e25629a865eca63176c95f6cec18c
-
Filesize
577KB
MD57c41728a5593096a3f002a5e6d7320e0
SHA1878fc795983906dd742f2a3fd021d33a626b0081
SHA2569dd127252a3fe153546afd255ebe2450b96d2f90691d1f53b99f44285db2942d
SHA512a515b716eed357092326236a6f87187ec7c4451f984a0ffadd952188022f768c6b5fe883370a9ce3377a440c03b87df95bd1a1a684f5ae7b3d7a16c977124eb3
-
Filesize
1.1MB
MD5e8e36595190dc11eea2249b7078df3d7
SHA1b66548dffb933ecde6f710187a75f961f7ea2b61
SHA256e36e38521bf6932687fc90c5a8c8bc1292c73073ef8294960c3fe5a2b175a968
SHA5127f46dd7ed7a162cef2807243510bb160f6b0b63a2376ee296c5a86f5cfd85f010fd1c00eec9147e041d07ddc09bc26f7ad18ca6a02b346f3ce00b22f84e451a6
-
Filesize
2.1MB
MD576efd0e4fb68f0f914c9c1152afd07c1
SHA1a17cd2884952911101bd884801a467bc8294e465
SHA2566d767044a7c8ecf53c862822914d7938493da0906cd8f16a6d05fb17efd1a7c7
SHA5121225a2da360e6502662571a3d3345afd2eea3bb4ea6da6ba1ff3fb3230c5edf8baa566688f8f8a7e9ca63aedd89baf5a0d21e2058a23d514f0d70275ce4adbfd
-
Filesize
644KB
MD57752784aa5b75b3e5cae37891394902e
SHA12dd944e7ccf2ca465e4779df5edc5fa61004b916
SHA256496384a379a7d69479c4b9c58438de285c852f3e454a7f2fdec1db5280bc50a1
SHA51214c81deca39cc088678f9373bde98160c97a03164836f282ef1cfb0ea1afb51478457b86502c03df4c3c7e67712100b357cf7a8e30464bcb424e6ca2358adc76
-
Filesize
577KB
MD5433ccd7685733dbafd1c0991f037b19d
SHA1b3c6bb3bf9cb188ba667e48098a4cd3e8f83b75c
SHA2565b2d7dc8c53b56049fe5b78fabc147c7610b7685652d1e1a29556003ade10950
SHA51232494f9ead87dbfa2cdea9e09f1022a6480f03f48a1b91a5d9821370aa4b3a7af1b679542530e2c2a9e72e980ae7adba293f29e4d365f5e79748403ab5dae2c9
-
Filesize
674KB
MD5b125b39185152277c2acabf4e501159e
SHA181719c015aeb2d5a1e803484df0e60651a8527d4
SHA2564d98d4b5c3aee122f6f55bd3c0abccd2999af583f5f55b5dbe2a7660e2dea797
SHA5125dc39e3575462861f6c910aea2a74d3faf52e68788a0336544ff594d37722c15e7435978caa747c4c4bab022207b6cd3f69b422c0a91331d79b9c98c89e376c7
-
Filesize
705KB
MD5c1bd996a0d2f23a5e2c7c10fea373e43
SHA1d7cf12c9977e6ec3cbc71b6a39930e419c3d6b51
SHA256ff83f1bd566265ebfe86b160889f60e2d04cea67745163a1dab7aa47556294d6
SHA512d73f8a41f3fe130084ab0c31a2632c38556496891f26b75533c463d24eaa4b7c03d24a20e1786e7034b8ba1272113042759746e57b0acc6c8902aa31cf7c365c
-
Filesize
691KB
MD53473dc88f14ccbb9130df9dff0a5d972
SHA1bf0dba962d213dbeef3f010a79733d6cafbc0842
SHA2563811ac8e2bc577d9ceb8f55721d1a81c7be32b28a312a783d6c34b33951bbfa3
SHA512915c82c202c7d0ecd47c8b3536e238280e44e12242d285c3677f33500d15347748764f96cde8ecec6a55161d07df2b715cca353f9d2027c27fd7e635ad7bd9a9
-
Filesize
581KB
MD5f44cbdb4fe0d8ef8292dc308d723b7ee
SHA1849bcf2033c5e7a89d75e4654854e534b134d361
SHA2568a2da799f49da8a8293fddf53807cd307d15b4ba0937109654efcb95c5046ebc
SHA51211422fdd38675dead54c7bfdb68d496b3691e53b6af277535028c3de9f44a2b8017b824c47337f529acebe446fb5407d579fbfadfd584a9e5d74525945c43351
-
Filesize
1.1MB
MD5e5e84843516dc0956d19f5c453ff6364
SHA1a661d56d9ab1084e91e9ba5ed468be7a0cadc0fe
SHA256ab542b1e6e14685f0785cde694e5467ba6cd53f7505b300c89e677f67f046538
SHA5124ba7f917e47f5e255edd699eaff0e5d0d1ef48576272d7975e70bdc5d366369672f3c6182eba7abd533e193815907ba57238722e2cca4f89bf4ffccc4c296ab4
-
Filesize
765KB
MD521d18387bb7de2d1685558c2e4f62ab3
SHA1ce9e9d141cb921b2a2ba6abe3330ae97f3056e33
SHA256a0ff541a810172f66928bae626b01bc9b81af8815f2146e02066a4e0da72ebfc
SHA512bfe40eef3648f51e81de94216f93a5bca4c61a4db26bd20afb090c665f9cad078fed481fdc5b22352552e1cc11abcefc3739eecce4331eb94ec0f27c92b55422
-
Filesize
2.0MB
MD5e5b8face8510020bd025ef653b9322b5
SHA10914608d8a479a366ddd388eb4d25760a55b1510
SHA256dc852bed74392f430463c29b1ee4eb6359631b820d0158fda163e0b8eb9eb3f0
SHA512de75906eb5449fd889924acbdbd0a961dd674a3f41081f259d99149d5bde03403b50deeb9faccf87958e0d65c47175969e3044684142b22a0e294c6995eb8e7e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
1.2MB
MD57e154209970056989a34b628a9b17cec
SHA1579be6d7ffde30875594afaf91fae43cb10d844c
SHA256edff6f52b050e33c7a47ab83fb761f82ef520e3e22f558131b05ae54368134d6
SHA512aaf1e93be22479ab5d5c01c58b48f8c495b2983ed7bb63849ec08678b41113ffff0d7d61feb18bf0adde12411076d8968fd60784b2d68629b6c1a5c93be02460
-
Filesize
691KB
MD5a3173419640386b76a39df86fd41fc8e
SHA12b7412324b1b1b8c9f16a764c37e0a1af564480e
SHA2569f79df9d8445e48ef9dfbcb7b98dc2f65bd7806b739ac7322b92f0c998973378
SHA5122d4b93bdd027cea5dfb7eaa9446471f1884bf6d43e197c84449f5c956a88985632cf951d84052afd75be6aa07b98dce4d6c517eb2a6e92f5eb3136dc187e45d2
-
Filesize
691KB
MD53473dc88f14ccbb9130df9dff0a5d972
SHA1bf0dba962d213dbeef3f010a79733d6cafbc0842
SHA2563811ac8e2bc577d9ceb8f55721d1a81c7be32b28a312a783d6c34b33951bbfa3
SHA512915c82c202c7d0ecd47c8b3536e238280e44e12242d285c3677f33500d15347748764f96cde8ecec6a55161d07df2b715cca353f9d2027c27fd7e635ad7bd9a9
-
Filesize
2.0MB
MD5caa4d74cb4a0b80a1f1900d497077b60
SHA14f960df02215b0e9efd6c32103a69404f4579858
SHA2562ed5bebfb1f186b1171bcbdca80aa5471ab20f7055bd6cb6e0806e04efcd4484
SHA51227f0a0ef16cbdc814b3e36f13345d70e2415c3f812d03cfae73b67c11be378544d10dcfca2a5ad8557bfd89dd8da13c79d7521dcc93c85399617f36cd48da762
-
Filesize
2.0MB
MD5caa4d74cb4a0b80a1f1900d497077b60
SHA14f960df02215b0e9efd6c32103a69404f4579858
SHA2562ed5bebfb1f186b1171bcbdca80aa5471ab20f7055bd6cb6e0806e04efcd4484
SHA51227f0a0ef16cbdc814b3e36f13345d70e2415c3f812d03cfae73b67c11be378544d10dcfca2a5ad8557bfd89dd8da13c79d7521dcc93c85399617f36cd48da762
-
Filesize
648KB
MD579357145f004a855420a80bac492ea58
SHA12239d6be452d84e527b099ba9aca3267e064fd3f
SHA25657395c3a99c20e2bb8f8ef4b5b09a2daea703d42ba3ca371093e03b6cc3beb52
SHA512525d975871972a0503052d8f3d94ed4cb9e80f8c5ebffbde528ae9ffa67c77c6507f86b864bd3ad2a3b4da0d5b413134bfb7d7a88ad52d7d1c963ad431b9555a
-
Filesize
603KB
MD561b6f8cefb8de3e40e6b4aabdcf83116
SHA1e8fb1df4d21c998c9d64a10adc0b73ca309c3235
SHA2562e3b3bb880e9147b7e58c39c367c2826ff4fcd738f87dc595bdcad3edbe4b124
SHA512b0ec17a526e121988df8e67b17d3fa4a0465c41d46521e21071bc0d9c81e083da6332bfc5084dd596b5489189843b67fbc8c61550a4a63523221ecccdb776942
-
Filesize
577KB
MD57c41728a5593096a3f002a5e6d7320e0
SHA1878fc795983906dd742f2a3fd021d33a626b0081
SHA2569dd127252a3fe153546afd255ebe2450b96d2f90691d1f53b99f44285db2942d
SHA512a515b716eed357092326236a6f87187ec7c4451f984a0ffadd952188022f768c6b5fe883370a9ce3377a440c03b87df95bd1a1a684f5ae7b3d7a16c977124eb3
-
Filesize
644KB
MD57752784aa5b75b3e5cae37891394902e
SHA12dd944e7ccf2ca465e4779df5edc5fa61004b916
SHA256496384a379a7d69479c4b9c58438de285c852f3e454a7f2fdec1db5280bc50a1
SHA51214c81deca39cc088678f9373bde98160c97a03164836f282ef1cfb0ea1afb51478457b86502c03df4c3c7e67712100b357cf7a8e30464bcb424e6ca2358adc76
-
Filesize
577KB
MD5433ccd7685733dbafd1c0991f037b19d
SHA1b3c6bb3bf9cb188ba667e48098a4cd3e8f83b75c
SHA2565b2d7dc8c53b56049fe5b78fabc147c7610b7685652d1e1a29556003ade10950
SHA51232494f9ead87dbfa2cdea9e09f1022a6480f03f48a1b91a5d9821370aa4b3a7af1b679542530e2c2a9e72e980ae7adba293f29e4d365f5e79748403ab5dae2c9
-
Filesize
674KB
MD5b125b39185152277c2acabf4e501159e
SHA181719c015aeb2d5a1e803484df0e60651a8527d4
SHA2564d98d4b5c3aee122f6f55bd3c0abccd2999af583f5f55b5dbe2a7660e2dea797
SHA5125dc39e3575462861f6c910aea2a74d3faf52e68788a0336544ff594d37722c15e7435978caa747c4c4bab022207b6cd3f69b422c0a91331d79b9c98c89e376c7
-
Filesize
705KB
MD5c1bd996a0d2f23a5e2c7c10fea373e43
SHA1d7cf12c9977e6ec3cbc71b6a39930e419c3d6b51
SHA256ff83f1bd566265ebfe86b160889f60e2d04cea67745163a1dab7aa47556294d6
SHA512d73f8a41f3fe130084ab0c31a2632c38556496891f26b75533c463d24eaa4b7c03d24a20e1786e7034b8ba1272113042759746e57b0acc6c8902aa31cf7c365c
-
Filesize
691KB
MD53473dc88f14ccbb9130df9dff0a5d972
SHA1bf0dba962d213dbeef3f010a79733d6cafbc0842
SHA2563811ac8e2bc577d9ceb8f55721d1a81c7be32b28a312a783d6c34b33951bbfa3
SHA512915c82c202c7d0ecd47c8b3536e238280e44e12242d285c3677f33500d15347748764f96cde8ecec6a55161d07df2b715cca353f9d2027c27fd7e635ad7bd9a9
-
Filesize
691KB
MD53473dc88f14ccbb9130df9dff0a5d972
SHA1bf0dba962d213dbeef3f010a79733d6cafbc0842
SHA2563811ac8e2bc577d9ceb8f55721d1a81c7be32b28a312a783d6c34b33951bbfa3
SHA512915c82c202c7d0ecd47c8b3536e238280e44e12242d285c3677f33500d15347748764f96cde8ecec6a55161d07df2b715cca353f9d2027c27fd7e635ad7bd9a9
-
Filesize
581KB
MD5f44cbdb4fe0d8ef8292dc308d723b7ee
SHA1849bcf2033c5e7a89d75e4654854e534b134d361
SHA2568a2da799f49da8a8293fddf53807cd307d15b4ba0937109654efcb95c5046ebc
SHA51211422fdd38675dead54c7bfdb68d496b3691e53b6af277535028c3de9f44a2b8017b824c47337f529acebe446fb5407d579fbfadfd584a9e5d74525945c43351
-
Filesize
765KB
MD521d18387bb7de2d1685558c2e4f62ab3
SHA1ce9e9d141cb921b2a2ba6abe3330ae97f3056e33
SHA256a0ff541a810172f66928bae626b01bc9b81af8815f2146e02066a4e0da72ebfc
SHA512bfe40eef3648f51e81de94216f93a5bca4c61a4db26bd20afb090c665f9cad078fed481fdc5b22352552e1cc11abcefc3739eecce4331eb94ec0f27c92b55422
-
Filesize
2.0MB
MD5e5b8face8510020bd025ef653b9322b5
SHA10914608d8a479a366ddd388eb4d25760a55b1510
SHA256dc852bed74392f430463c29b1ee4eb6359631b820d0158fda163e0b8eb9eb3f0
SHA512de75906eb5449fd889924acbdbd0a961dd674a3f41081f259d99149d5bde03403b50deeb9faccf87958e0d65c47175969e3044684142b22a0e294c6995eb8e7e
-
Filesize
1.2MB
MD57e154209970056989a34b628a9b17cec
SHA1579be6d7ffde30875594afaf91fae43cb10d844c
SHA256edff6f52b050e33c7a47ab83fb761f82ef520e3e22f558131b05ae54368134d6
SHA512aaf1e93be22479ab5d5c01c58b48f8c495b2983ed7bb63849ec08678b41113ffff0d7d61feb18bf0adde12411076d8968fd60784b2d68629b6c1a5c93be02460
-
Filesize
691KB
MD5a3173419640386b76a39df86fd41fc8e
SHA12b7412324b1b1b8c9f16a764c37e0a1af564480e
SHA2569f79df9d8445e48ef9dfbcb7b98dc2f65bd7806b739ac7322b92f0c998973378
SHA5122d4b93bdd027cea5dfb7eaa9446471f1884bf6d43e197c84449f5c956a88985632cf951d84052afd75be6aa07b98dce4d6c517eb2a6e92f5eb3136dc187e45d2