Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
Resource
win7-20240215-en
General
-
Target
e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe
-
Size
577KB
-
MD5
a327ac10a9efd79b8bebb7417ba940c9
-
SHA1
745835813c60ab30b2dfff2ee3a6e52f9443ad2e
-
SHA256
e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7
-
SHA512
984aca3af97b038af6f94f9ee19f97d1bb7b3aabfa0a686223a1952cdcdaa107086742f7d805ddee230804e1cb230d3b49ca70bdf7e7d4e44a23c3948cb77e5e
-
SSDEEP
12288:nMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:MSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 480 Process not Found 1836 alg.exe 2664 aspnet_state.exe 2464 mscorsvw.exe 2724 mscorsvw.exe 2824 elevation_service.exe 2864 GROOVE.EXE 1684 maintenanceservice.exe 1332 OSE.EXE 596 OSPPSVC.EXE 1780 mscorsvw.exe 2788 mscorsvw.exe 2572 mscorsvw.exe 2896 mscorsvw.exe 1628 mscorsvw.exe 2004 mscorsvw.exe 2244 mscorsvw.exe 2152 mscorsvw.exe 1168 mscorsvw.exe 2360 mscorsvw.exe 1520 mscorsvw.exe 1820 mscorsvw.exe 2648 mscorsvw.exe 1956 mscorsvw.exe 2892 mscorsvw.exe 1056 mscorsvw.exe 1536 mscorsvw.exe 1952 mscorsvw.exe 380 mscorsvw.exe 1856 mscorsvw.exe 2920 mscorsvw.exe 1580 mscorsvw.exe 1928 mscorsvw.exe 2656 mscorsvw.exe 2488 mscorsvw.exe 1952 mscorsvw.exe 2720 mscorsvw.exe 860 mscorsvw.exe 280 mscorsvw.exe 2660 mscorsvw.exe 2096 mscorsvw.exe 2728 mscorsvw.exe 3040 mscorsvw.exe 2896 mscorsvw.exe 3052 mscorsvw.exe 952 mscorsvw.exe 1664 mscorsvw.exe 960 mscorsvw.exe 2940 mscorsvw.exe 1612 mscorsvw.exe 1512 mscorsvw.exe 2660 mscorsvw.exe 2232 mscorsvw.exe 2728 mscorsvw.exe 2184 mscorsvw.exe 2140 mscorsvw.exe 1276 mscorsvw.exe 2244 mscorsvw.exe 2932 mscorsvw.exe 2212 mscorsvw.exe 2564 mscorsvw.exe 1712 mscorsvw.exe 2540 mscorsvw.exe 2380 mscorsvw.exe -
Loads dropped DLL 37 IoCs
pid Process 480 Process not Found 2660 mscorsvw.exe 2660 mscorsvw.exe 2728 mscorsvw.exe 2728 mscorsvw.exe 2896 mscorsvw.exe 2896 mscorsvw.exe 952 mscorsvw.exe 952 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 1612 mscorsvw.exe 1612 mscorsvw.exe 2660 mscorsvw.exe 2660 mscorsvw.exe 2728 mscorsvw.exe 2728 mscorsvw.exe 2140 mscorsvw.exe 2140 mscorsvw.exe 2244 mscorsvw.exe 2244 mscorsvw.exe 2212 mscorsvw.exe 2212 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 2380 mscorsvw.exe 2380 mscorsvw.exe 2728 mscorsvw.exe 2728 mscorsvw.exe 2060 mscorsvw.exe 2060 mscorsvw.exe 1564 mscorsvw.exe 1564 mscorsvw.exe 2224 mscorsvw.exe 2224 mscorsvw.exe 1500 mscorsvw.exe 1500 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\alg.exe e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\55bf36f5bfe435d8.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files\GroupRestart.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP167D.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18ED.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP146B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP56D.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9FF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE05.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E79.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE6B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC02.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207C.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP751.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1304 e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeDebugPrivilege 1836 alg.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeDebugPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe Token: SeShutdownPrivilege 2724 mscorsvw.exe Token: SeShutdownPrivilege 2464 mscorsvw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 1780 2464 mscorsvw.exe 37 PID 2464 wrote to memory of 1780 2464 mscorsvw.exe 37 PID 2464 wrote to memory of 1780 2464 mscorsvw.exe 37 PID 2464 wrote to memory of 1780 2464 mscorsvw.exe 37 PID 2464 wrote to memory of 2788 2464 mscorsvw.exe 38 PID 2464 wrote to memory of 2788 2464 mscorsvw.exe 38 PID 2464 wrote to memory of 2788 2464 mscorsvw.exe 38 PID 2464 wrote to memory of 2788 2464 mscorsvw.exe 38 PID 2464 wrote to memory of 2572 2464 mscorsvw.exe 39 PID 2464 wrote to memory of 2572 2464 mscorsvw.exe 39 PID 2464 wrote to memory of 2572 2464 mscorsvw.exe 39 PID 2464 wrote to memory of 2572 2464 mscorsvw.exe 39 PID 2464 wrote to memory of 2896 2464 mscorsvw.exe 40 PID 2464 wrote to memory of 2896 2464 mscorsvw.exe 40 PID 2464 wrote to memory of 2896 2464 mscorsvw.exe 40 PID 2464 wrote to memory of 2896 2464 mscorsvw.exe 40 PID 2464 wrote to memory of 1628 2464 mscorsvw.exe 41 PID 2464 wrote to memory of 1628 2464 mscorsvw.exe 41 PID 2464 wrote to memory of 1628 2464 mscorsvw.exe 41 PID 2464 wrote to memory of 1628 2464 mscorsvw.exe 41 PID 2464 wrote to memory of 2004 2464 mscorsvw.exe 42 PID 2464 wrote to memory of 2004 2464 mscorsvw.exe 42 PID 2464 wrote to memory of 2004 2464 mscorsvw.exe 42 PID 2464 wrote to memory of 2004 2464 mscorsvw.exe 42 PID 2464 wrote to memory of 2244 2464 mscorsvw.exe 43 PID 2464 wrote to memory of 2244 2464 mscorsvw.exe 43 PID 2464 wrote to memory of 2244 2464 mscorsvw.exe 43 PID 2464 wrote to memory of 2244 2464 mscorsvw.exe 43 PID 2464 wrote to memory of 2152 2464 mscorsvw.exe 44 PID 2464 wrote to memory of 2152 2464 mscorsvw.exe 44 PID 2464 wrote to memory of 2152 2464 mscorsvw.exe 44 PID 2464 wrote to memory of 2152 2464 mscorsvw.exe 44 PID 2464 wrote to memory of 1168 2464 mscorsvw.exe 45 PID 2464 wrote to memory of 1168 2464 mscorsvw.exe 45 PID 2464 wrote to memory of 1168 2464 mscorsvw.exe 45 PID 2464 wrote to memory of 1168 2464 mscorsvw.exe 45 PID 2464 wrote to memory of 2360 2464 mscorsvw.exe 46 PID 2464 wrote to memory of 2360 2464 mscorsvw.exe 46 PID 2464 wrote to memory of 2360 2464 mscorsvw.exe 46 PID 2464 wrote to memory of 2360 2464 mscorsvw.exe 46 PID 2464 wrote to memory of 1520 2464 mscorsvw.exe 47 PID 2464 wrote to memory of 1520 2464 mscorsvw.exe 47 PID 2464 wrote to memory of 1520 2464 mscorsvw.exe 47 PID 2464 wrote to memory of 1520 2464 mscorsvw.exe 47 PID 2464 wrote to memory of 1820 2464 mscorsvw.exe 48 PID 2464 wrote to memory of 1820 2464 mscorsvw.exe 48 PID 2464 wrote to memory of 1820 2464 mscorsvw.exe 48 PID 2464 wrote to memory of 1820 2464 mscorsvw.exe 48 PID 2464 wrote to memory of 2648 2464 mscorsvw.exe 49 PID 2464 wrote to memory of 2648 2464 mscorsvw.exe 49 PID 2464 wrote to memory of 2648 2464 mscorsvw.exe 49 PID 2464 wrote to memory of 2648 2464 mscorsvw.exe 49 PID 2464 wrote to memory of 1956 2464 mscorsvw.exe 50 PID 2464 wrote to memory of 1956 2464 mscorsvw.exe 50 PID 2464 wrote to memory of 1956 2464 mscorsvw.exe 50 PID 2464 wrote to memory of 1956 2464 mscorsvw.exe 50 PID 2464 wrote to memory of 2892 2464 mscorsvw.exe 51 PID 2464 wrote to memory of 2892 2464 mscorsvw.exe 51 PID 2464 wrote to memory of 2892 2464 mscorsvw.exe 51 PID 2464 wrote to memory of 2892 2464 mscorsvw.exe 51 PID 2464 wrote to memory of 1056 2464 mscorsvw.exe 52 PID 2464 wrote to memory of 1056 2464 mscorsvw.exe 52 PID 2464 wrote to memory of 1056 2464 mscorsvw.exe 52 PID 2464 wrote to memory of 1056 2464 mscorsvw.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe"C:\Users\Admin\AppData\Local\Temp\e0335821c33a1b0e9b32335d1268f86063fc95bc1bc5d53226b1d9f1eaf6a3a7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1e4 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 1d0 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 284 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 250 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e4 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 250 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 268 -NGENProcess 28c -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 250 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 26c -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 268 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 26c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 220 -NGENProcess 2ac -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 2c4 -NGENProcess 288 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 270 -NGENProcess 2cc -Pipe 220 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 270 -NGENProcess 2c8 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c8 -NGENProcess 2cc -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2e0 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e8 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ac -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2f8 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f0 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2bc -NGENProcess 2f8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f0 -NGENProcess 308 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c8 -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2c4 -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 310 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1276
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2bc -NGENProcess 320 -Pipe 318 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 320 -NGENProcess 314 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 328 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2bc -NGENProcess 32c -Pipe 320 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 330 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2f8 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 328 -NGENProcess 32c -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 314 -NGENProcess 334 -Pipe 310 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 338 -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2bc -NGENProcess 344 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 328 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:1796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 31c -NGENProcess 350 -Pipe 314 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 350 -NGENProcess 34c -Pipe 344 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 330 -NGENProcess 358 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 34c -Pipe 338 -Comment "NGen Worker Process"2⤵PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 360 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 330 -NGENProcess 364 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 32c -NGENProcess 368 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 368 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"2⤵PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 32c -Pipe 360 -Comment "NGen Worker Process"2⤵PID:1856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 370 -Pipe 350 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 374 -NGENProcess 37c -Pipe 34c -Comment "NGen Worker Process"2⤵PID:636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 328 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 380 -NGENProcess 368 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:3068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 388 -NGENProcess 37c -Pipe 384 -Comment "NGen Worker Process"2⤵PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 390 -NGENProcess 358 -Pipe 38c -Comment "NGen Worker Process"2⤵PID:2584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 390 -NGENProcess 388 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 390 -NGENProcess 394 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 390 -NGENProcess 378 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:1744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a4 -NGENProcess 390 -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a8 -NGENProcess 3a4 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 3a8 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3a8 -NGENProcess 328 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3a8 -NGENProcess 368 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:1280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 370 -NGENProcess 328 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 394 -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:304
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2488
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2824
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2864
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1684
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1332
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5bd4eaa4ca286ac76398fc7e12e09bd07
SHA1eb77883e2653cf7933da1d84b04da4a0e3d7e0cd
SHA2562030f690f9ac6d77fc445cc897fd4c610176f0f9dcb088e05b561f9967574791
SHA512b957704e0da6d8d7193f669e8600c0ba46aeb8082fcc9db1af14c4c7a61c8feb5f391aa4255642c1597c74b90a832e853ab000cb467664e81f71c2debd0addbb
-
Filesize
1.6MB
MD5d7c2e2e42630116d6d40ac633aca46c9
SHA1f973fe2eaa6a68ef9e11397826e684e46dd82eac
SHA2567a2dd318fb75e0ab3e4775134912045a7deed071ca7d01276a033a63a1ed0b5d
SHA512616e3be2532d46574f5d0b2e7d9fc2d39f3b4e045d07f7c14fde542857bdfc8f94888c7dab13d9f18192a14b5c5b5528bbb1a8d52154ff15d8f63734fe4e6985
-
Filesize
1.3MB
MD5245923b7b8866deb21ec377bea70d5b9
SHA1cba6ae6771bfa32eda46d5c2b23af866926cf99a
SHA256543e00bfe170be4eeaa7a4149e064083fe51b82d6a72f696eb8ed496806b35f6
SHA51247d74ea99f12df0b7c3276a62127d601eec41bce73741c0f205cb47a0f7ee0b17f5e87584f2dc82dd3748b6019b9ea6068a4aee36adcebf01beb03e52c26a7b8
-
Filesize
1.0MB
MD5413e6ae4a22e171a0bf09ae4d8a771e0
SHA11408745cc6ade0921206068908c0e90aed0a1e8a
SHA256ff8d00b61ae15a4860b92039a5c17de3d0c5b9227dad5280854a15605531d1bb
SHA5123b5deb9866a0aa1ea1413d7984c1a80f77b49c665f72b2a00b02a376fa498accc3989a556d94455370c378a41be59623e43ccab4cb0d01e1af5751bcf5cafa3f
-
Filesize
706KB
MD57ad1731aace3f6495fc28241fe552c8b
SHA164e50fc06f73b839b38772750df2a90af3795aad
SHA256707873aad69e8ef5b27eeba8163f696eeac56c0eb56c90fd882811e3b9d36aaf
SHA512ed9347c3bc55b061dc865ad896925f0e0c0848a3297c853ff5a7c1f5d1febf48b996bb424531b93d90d7725a698f295276aba81cae64d89e94c914028e0a974b
-
Filesize
30.1MB
MD50427131b3be5c84b67b642ac563b9435
SHA16c130631ba80b0c106f9a441ec19fdee4465bdac
SHA256b57bde2f1fe45afc3647458a47bada43a8d7421042f050e67d53d2850d6180f9
SHA512e63d8781d1b37a6571c6a175a2cf10ec6a412d4c4be68ff7255dcbd8e4ee376e4898f105af7d4a25e2ce7ffdd6fe6cc6ce4c7f8f2b6a0e6ee241d0d510f228c8
-
Filesize
781KB
MD5aae20539e42488d9adc0ce32c71a529a
SHA1ab60784d55fbdf49e4615410343f3d751830bb60
SHA2565ce39e8e8d16dc11eed21a8b08aa52b0b046ab398c5ab782ccd856cf6c7cf7f1
SHA512dc5df7abe3edfb53090f16db91e9bea924923ed59bfebd7cde5df36714383b8a42b20b2fa0a9383f5c777fd628862ac4c8743d3c9725010dd0a2bd2d57e5f25b
-
Filesize
1.1MB
MD5a84770f2e5468b7f8ebb1d27b5fd5937
SHA129f85c76446bdc4cee2b5e9fbe2228b810770c76
SHA25695a17fa512ff9c61c79dfd7847c433657a107f9540e7ece89344280625127d76
SHA512e74d97a74c3dd8ef667300972ddf6cc7c291843c115939425a373e0192791182ad81da2e7f4c9b02e2cfcbf6a1ee3adc38bcd9bd0c4f6437740969bef730ae98
-
Filesize
1.5MB
MD5e9e9d8c5a960160443f74f9cfe43b4a7
SHA1d3811367794847e2afb6240e572d9915bee0e90f
SHA25603a7da2155bba22d06f6266c1102c2f768792b14fa363c38ed2d040579d793e5
SHA5127cbdc4392e3fc6b71da96a6bc46f77c0cc33422b2ee7e928a7167816170e869c96f488c79d47dfe3164cd9f419d549b01f098515326ce65df3a614be852bfd3e
-
Filesize
1.2MB
MD5b7465f804ff95c719fc4265ae688e3cf
SHA19ed88312faa21588bf5510513670cac1f8c09067
SHA2567d20ec0abe0f88e5009916b6018b5dab748ccb36b2d748e8369dbb485c60c830
SHA512c1cb02f7d38979fe6007ed7153d006b195f17308631010d1a91516491bca40a59cb1bc65d6217137bd1696f88ce4f455546d228a603e0ca65aac7b1564203130
-
Filesize
582KB
MD5c891d3b7246f5dda0a44585596226a02
SHA1782f28dbf3c670c705693191caf6ebf0efde4c06
SHA256f79d0b3b4638a127f416932e7a7ba67931df58327e52660b6b70be9e60e5df1c
SHA512098ccc18aa7a159a4a00489f321206e3996f839a2c6741fe013f80fb58ce355df2d17fe89ab87f60ac525b655a25132b11f63cdada23d5d63bc650c9abdaefd0
-
Filesize
5.2MB
MD5b7828c235b9d467506030a2660ffe5da
SHA1f6aaad43cb46deb525a462a9e46dc1b127c8493a
SHA2565ae77f7c26ee9c74bac12288297ae88785272e5d3a1514df4aefd3c1060c696b
SHA512da59be089341c052c5285cf652706698ffd354cf8787e4dac860358518ff8ca1888a1ce86d788a7e2c165357e8d5070a36d6ccca2bdc46a623178059a3f6b662
-
Filesize
4.8MB
MD53fe6594db47cf12cfdb519bf57886b0c
SHA1aee54b11e9d55495cf4eebf7ff70357e53510af4
SHA256a922fc6378181d6bbcb200cc645970313271363796e22646544df4d8984cd556
SHA512f191427b02b8ee82916e0765dde803d9522b19f5d59db9bc104fb41f048929a65bba9c54b3b319189d02f313144031db2f677f65dbbb912f8aefda1f20a700d9
-
Filesize
4.8MB
MD5b6bd6f2836d22eae23e3b17f536f4288
SHA14ea2ea93fcbca35880c375656d2951382493c97e
SHA256ccf14b911879e886728ad2ed93397bf515232bbfc9e0b190a07911682783adb8
SHA512ec258697bc1841f9e0d1456a575a436be6d4536fd1fb32b9ca48347fb9ecf185c4ba5e2548df9508455dcc2b705c7a095c4ff5fb50df0e26df45ceef0da5576a
-
Filesize
2.2MB
MD5729103dc23b60c5429f775fb64caacee
SHA1d5869b54e3d7939472393bea595b1e0d675d050d
SHA25632a53be3f47a3f0039d16ff9de8b72ec240fc7f6d4ffeccf8317bc9cb28e6a7f
SHA512d04a9fce2bfe2f8a680b872291f2a92f187c27457efc5b9cc49259d514b19d42e33857072c4b012e9cb52820ee1b6ee960ddc80cae5adcb89b4f01046e556134
-
Filesize
2.1MB
MD5339ac9c5386f62f9a7c11e2147765802
SHA19c56d7926fe90c44cfe5c8abb1dd4e6c33de9f9f
SHA25645044be428fc352cfa437688ccc226b4d41bbf37f14a0b204f7e479d29367ca1
SHA512a767e192830f7303456e7bfd61af4c34e1a96978bd4725029875ff32457bcaed412eb0907336127683aee015bfec1543fb53088808b77d66faf2b3f3fb395f75
-
Filesize
1.8MB
MD5084169716161ac9d0fcb694eb58e8501
SHA1288b7dde64ce24ae3924f3e2d4316e677266a137
SHA256b7fa9f08dbbe1188b64f43b201dce9c33bd8ec8cbfcd19382a4a20408cbb55a6
SHA512033d0d0be05ecf393e5379a88fc31770a13f88b3ab1d05c0a2da492c80bc7fdeb9dc749bc0260ab61827f4194dd67bf0fafbcd48069ba1367ee9a75da911ce5c
-
Filesize
1.5MB
MD558547cfcdfff2807707b92fffbdb7a64
SHA11a08adce085479288b6c86a55e36abf51879d466
SHA2562681a850d866955bec40b1d0bf0f2a2361fdfc9c2e7d5b52eeb33b2f9aefc64d
SHA5125fc76f402740c77919ce35e8d6816dc9d7c6e9679d6e580fdf402be6ebf717a8a7fd2dc05eb3ebf5ef736254b0302e3274d39c270bdbefb1b3cc5c503b197a33
-
Filesize
577KB
MD54853de1f2c02e94318178372de81818a
SHA1ce077b36c3a92559191ee6cc5e6382057dabcf5f
SHA2561e0b4689f11ce01e35fa2bd99ebc9f680bbe6a7765b990e812894897dd353242
SHA512a5ae7d3a038e42e70286c2778955ab7078846a490969352aff4f5a48231c0ef5ff9515ac3ffe3f672a0fca4244a7c055c17c1158b4c2f5f2a6d4e16632a3f8fa
-
Filesize
577KB
MD530666b1b52241716378b91a760d4d6b6
SHA1454708c7e7319cc1443f60fa281175756c2f0582
SHA2562d32b0e78cbec8c005697eb590335bde8f71076c56503bee919e3a6e876004a4
SHA512231b8ba0a4b45c0a8d3d503ab63beb9382dc9a7dbe904c506826d4402ad330a04217eaf28a454619bce00c09d1d6ceaab8afd25f88050e05be82dbdfc5bb0a46
-
Filesize
577KB
MD528506da7ccc456f1cf3ac8ea5dbf2942
SHA137abc715742a9914e76dcc9a4ff3ecb6fa07fa87
SHA25698f2d471d4dda71cea45522c36846eb167cea31ccd592fb44e26f4eba6ceef66
SHA512eeac82be7fd4fa6ae4de3e2c32bfb9853fc154fd6b22be775f0807a01f14f7790094aa4032754e3d6f864ffa83ba9be587c8645cb3ddd2bab4e0ff5bfc28b642
-
Filesize
577KB
MD533c6b5f3f2e344a90a0874b193f1f269
SHA14a341e69bbb69b844c74b8230ac1a51a72a5972d
SHA256e4f4177fe3daed003f1df5ed1fa72bf4b0ad7291201e09ee91b88f3d85704c54
SHA5128f344d14a3c4ee11a2e211e29ea3c2f9de25a11234d1ed30e92d4a27be20a7f75fdd816bb507ce8175bc5db6dfb4da98c6d6d6595c870ac47e2362be2b82f86d
-
Filesize
615KB
MD53f3703d5e26c3e3417a23a4f37cf6f9c
SHA1119a07f66d7a52744187fad8c9b2d8846591b169
SHA256d544d8eebdabe77118353aba90789c8a2f8f75a45461ee2f7dda42a43510e5d9
SHA512b4f40305bc500b775f9cf21a5d55d1249dfb9441a7c58a4e5793d3d40516d96b96ff00d3bd1b7d98e44ce7235df311cc30183cc3931ff3743fcbdc2ea039a4c4
-
Filesize
577KB
MD5fe60535ee6b9689e7a7a8bb02e74040a
SHA105b2c0b4fe5ef1bfcd630d08d8b166e414e967eb
SHA256b872f6e2d0f6b9288f957be8565fdf731468eff28bf6c12a11d40f46f3674d03
SHA512922d6f4f4293509663eedc8dc5348d74a4d79a6a5304e4104d7e1347a0ff511c84b5f048cc3fddc042dff31d5edfc9acb373c87b7dda9aa9448f931f602c7a3b
-
Filesize
577KB
MD59d6c5baa5ad6fa38bccf8bbb532e6df7
SHA173841ca72e7495f6a66ef23d40cbe77241e781b4
SHA25654f792b29b32be7832304c77e0c9e1b710cc94884cfc3bf53dede3dc54f7a5d5
SHA51272f3a470b7c6cc29538afd58fabfcb0595038af66fe7cfe446dc703e14906ea7c10801142a9bdd76cda86717c05b7dec26d1fccad6f101227d366fc2e87a1838
-
Filesize
577KB
MD512907faa4e1e17e44c234fed05e7046f
SHA18b4c0cf2d2117fba7d1dec3502bab1d52555e30a
SHA25692041d8a21929f5d5f6f63b04bef7741bee34096933d040c03e8080a655ddcbc
SHA512d370d03becdbba099a7d033a13f48abcdf875c016b756dbc966746e8cf0b7b1e8301838a993301152e9ed73c0fd1a55c165eacd9d4bc93afe57eae691fb35cd9
-
Filesize
745KB
MD56b5c1dc2e45c99fdeb9ce79ae85df935
SHA1fc540c4d2cf7001ef16cac71703e11724a6b2c24
SHA256759912b628faea923056294e907270f6b558714029d5ae5b62e2791c9d32c47b
SHA512881a79e4ebe124eca35e7096a28681fedf5cf4649c4cbbe8950b5fdb4c005c152aeb66b1f0fc149ca85d37be2f5955bc80851e8c4117848254a6d7d11de5be85
-
Filesize
577KB
MD5d2af407edc901f525d645e3c1d692dd4
SHA1e998c22f20a140f40e9cebc5ec17ce69c8c38104
SHA25670a20d7fa16660c2b4ed0e4b091377cc1b308e93e62aaf63af0507e29f90b5e4
SHA5128f0888c0a0e83ad497392b70ebca5760101fe3ff75b16c9374da85f7528c0f0234f0451bd9129c8b2eb3eaec7b7e3f6fd8fd6f097abf44f45e000b49a1a9b46b
-
Filesize
577KB
MD59b54d8ab447bc99a07614b52c95660d7
SHA161f8a6bf1a9928a516de4463775f7c34ba2cd37c
SHA256b5542e2b70a70bc9c81bd17ddd8793531cf94ebd1e2ca897d1fb78f467934786
SHA5122a2c854ecac1e9b2e7e3bf1b6fcd471c34c131247fb8594220e78ee5c04e034ab17cfc29dacc4bd769e08d0eac773be8c5322412c05a537218b371faaa223c74
-
Filesize
678KB
MD5b8f69b60184e4da4ebb365612af1cfd1
SHA15cb7b44ef90c6a7ff98251e8b8b65afedae6c590
SHA256f3d54fd58d39846da9d6641891334da482c82caade6567cb27c81395e89e1a46
SHA5126d32c5656c07d082030b105999a1796480880e37f27daaf2703d978f140ede7e41355147234387c928aaffcd1bf0251065cf9b5f7277b619b3447cb51b1f6792
-
Filesize
656KB
MD576dfb1c1789adde45bdde926087cda04
SHA19fcae3643cfc103183c11a6718ba892c7487d7e3
SHA2562b6d033788727a006b6fa0f4ccb78284f98b68891b42399e2d5987684156e4aa
SHA512a069f28b6ac5aab923087b2ec356dbd90d90bccc0fa80cf6eb3ff663efa6091590361b697b408de58a6995940e0a6473cb808efc2d5f5fa153b6a58502e94709
-
Filesize
8KB
MD57d05f9597df21401020c6d94db0ed4ed
SHA11d21fcfb0098d4a971a6c08270dbbe5ca57aa4c5
SHA25620da97ea736d7dbac0258ef88df2ea92a80d68bb1fa15736be2e60caf7bf15bd
SHA512911b5f8f2fde7d41253eb460478c87d14db0bce6684fe936eef09b910c2d3abd35a9c77a185a991d6baca93942ad4a25de9e573c8f58510a626286b51e1bee04
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1f5d757f0db1005daa2dee10d6117655\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD50357fac505a1028f1b803e4170de3a62
SHA10ce8e6445a23e02b8b23e964e3cced0f304f556d
SHA256c0d079e51a8b642b9e7fea65b241204f4d890ec4f81030b6e1cfc86ac8a2c435
SHA512ebde8c35ffeb88ffdcf14b0e7ef669acd641822e9b3a919aeb8a29b01237a8b3b44e3a446d4a6b2fb53781e944dee94ae471b94ee12e27a279169d51a87acb12
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\40bbc6963eeb62795c5e45c7bec3e871\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD58035268c2a06e2f57de1170b4ba7937f
SHA1faf845cf886ba344f86a0cf70b612d1127395828
SHA256ffff2e2f4e170d5272e5c776d0230b347046a62b5bb35c5362406c00c92d654c
SHA5121a21bb292d53751a99661e4797b9122105acbf2740fdbb5d0f2d0ec79f5c63246052596995adff05783b576264034fb960d1b453bc03e9dcca78737d01b358ef
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\952d88d0ad2613018ab94ed906ed6379\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5d2859e7b56a646277e5dd74f49dc66c7
SHA1ee134b21563f194c2310c63633724262cbd64209
SHA2566a46c71842039eabe9c1e20d205cc639d8a19cf7f0a4d249005bba28436e26d5
SHA512fbb2649b2339d81033f31a03de94edaa857cdfb60619bc7372be91cac48fe1277b5ddd655c358596814eb32e62163b8d5c96dc57df5e5c1494709579063ee3ff
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ad333002d5af315ce99c6efc16f2735e\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD50e3474b8f9279d9130cd6287dc0984c8
SHA12620d07efe1f34f80596909c49adc719b95362ec
SHA256af5a512b0e73185aab39cd47fe18f1bb87eb2836e9d125ffabfce14efd8ecb54
SHA5126ef133b7c668588ab5f476b7804abe078d0d32b284c9e220f67fe7f213fcfa5e462dd93ffac55968c80c9e99326528dcc503a54cfd1dc41dc092461710ad82f3
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
603KB
MD57c65423f3a9a07350123b64c84036789
SHA1bd12d8488949e3afda7b61937ed78212dbb9dfda
SHA256f744a037737da11873206dc6d9f8b612dbcaa04dbc60ad222c603dcc26c46658
SHA512be37a14208c41ade077581e4f1a810e8ac5191744cf441afda0f123823e77a2d4f7e9d5dc53544a111949cbc9a0ac8c767bdd7c261186a71dcd11d57b1b2f52c
-
Filesize
644KB
MD5e8e01dfc77c1dab1512af0ed5411ac9b
SHA185edd12b5a467a2e3d0c8b24dcef0529f3524135
SHA256987da85cb05a55ca806aa18a2a85fb323906ef3cab7f17e4fdab1eef60001d49
SHA512b9fe1ecb0bd3b7d7cf9d751b05e3c1f7ff212a710ba887a388d24c40912094ec0d113c116a141d0a1c2b504eebcf716e3ab21186567fccfd07dfbebbcb6edd55