Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
Resource
win7-20240221-en
General
-
Target
cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe
-
Size
625KB
-
MD5
a833081033be25dab5419209fd333d4e
-
SHA1
5f26f29c8ad182ed70fefe3144e0ab1a797f1a50
-
SHA256
cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82
-
SHA512
51b481c0b690b05b71465af526c702c394486e0bd538c06420ffbaf5180ef3ca870c407957c055b45bcd3fe864fae6a3171dbf9048ca73c286cea620ab11e1a4
-
SSDEEP
12288:z2SGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhn:C1t/sBlDqgZQd6XKtiMJYiPUn
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2568 alg.exe 2668 aspnet_state.exe 2480 mscorsvw.exe 2016 mscorsvw.exe 2832 mscorsvw.exe 1636 mscorsvw.exe 1052 ehRecvr.exe 320 ehsched.exe 1832 elevation_service.exe 1532 dllhost.exe 1616 GROOVE.EXE 1756 maintenanceservice.exe 1576 mscorsvw.exe 2860 OSE.EXE 312 OSPPSVC.EXE 2504 mscorsvw.exe 2036 mscorsvw.exe 2632 mscorsvw.exe 1268 mscorsvw.exe 2776 mscorsvw.exe 1368 mscorsvw.exe 1952 mscorsvw.exe 2364 mscorsvw.exe 2696 mscorsvw.exe 1284 mscorsvw.exe 1488 mscorsvw.exe 2188 mscorsvw.exe 2796 mscorsvw.exe 1596 mscorsvw.exe 1680 mscorsvw.exe 1856 mscorsvw.exe 2800 mscorsvw.exe 796 mscorsvw.exe 2252 mscorsvw.exe 2484 mscorsvw.exe 1492 mscorsvw.exe 2220 mscorsvw.exe 2312 mscorsvw.exe 696 mscorsvw.exe 2948 msdtc.exe 1292 msiexec.exe 1104 perfhost.exe 2252 locator.exe 2856 snmptrap.exe 1740 vds.exe 584 vssvc.exe 3048 wbengine.exe 1768 WmiApSrv.exe 904 wmpnetwk.exe 2176 SearchIndexer.exe 784 mscorsvw.exe 2148 mscorsvw.exe 2836 mscorsvw.exe 296 mscorsvw.exe 1716 mscorsvw.exe 1760 mscorsvw.exe 2512 mscorsvw.exe 1580 mscorsvw.exe 2788 mscorsvw.exe 1620 mscorsvw.exe 1756 mscorsvw.exe 1736 mscorsvw.exe 1120 mscorsvw.exe -
Loads dropped DLL 28 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 1292 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 748 Process not Found 1716 mscorsvw.exe 1716 mscorsvw.exe 2512 mscorsvw.exe 2512 mscorsvw.exe 2788 mscorsvw.exe 2788 mscorsvw.exe 1756 mscorsvw.exe 1756 mscorsvw.exe 1120 mscorsvw.exe 1120 mscorsvw.exe 840 mscorsvw.exe 840 mscorsvw.exe 884 mscorsvw.exe 884 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b741d4369a3c2c1c.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{89C4F14B-4003-4E4F-9969-A2103971EDD4}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8CE4.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E71.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72CF.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File opened for modification C:\Windows\ehome\ehsched.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{04563BBD-C5F7-45CD-B2D9-8C689E46FB79}.crmlog dllhost.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA14E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E73.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FCC370EF-8AD4-4CB7-8710-1926BFFDF410} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings." SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1404 ehRec.exe 2668 aspnet_state.exe 2668 aspnet_state.exe 2668 aspnet_state.exe 2668 aspnet_state.exe 2668 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1704 cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: 33 2124 EhTray.exe Token: SeIncBasePriorityPrivilege 2124 EhTray.exe Token: SeDebugPrivilege 1404 ehRec.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: 33 2124 EhTray.exe Token: SeIncBasePriorityPrivilege 2124 EhTray.exe Token: SeDebugPrivilege 2568 alg.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2668 aspnet_state.exe Token: SeRestorePrivilege 1292 msiexec.exe Token: SeTakeOwnershipPrivilege 1292 msiexec.exe Token: SeSecurityPrivilege 1292 msiexec.exe Token: SeBackupPrivilege 584 vssvc.exe Token: SeRestorePrivilege 584 vssvc.exe Token: SeAuditPrivilege 584 vssvc.exe Token: SeBackupPrivilege 3048 wbengine.exe Token: SeRestorePrivilege 3048 wbengine.exe Token: SeSecurityPrivilege 3048 wbengine.exe Token: SeDebugPrivilege 2668 aspnet_state.exe Token: SeManageVolumePrivilege 2176 SearchIndexer.exe Token: 33 2176 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2176 SearchIndexer.exe Token: 33 904 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 904 wmpnetwk.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2832 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2124 EhTray.exe 2124 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2124 EhTray.exe 2124 EhTray.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2364 SearchProtocolHost.exe 2364 SearchProtocolHost.exe 2364 SearchProtocolHost.exe 2364 SearchProtocolHost.exe 2364 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe 572 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 1576 2832 mscorsvw.exe 42 PID 2832 wrote to memory of 1576 2832 mscorsvw.exe 42 PID 2832 wrote to memory of 1576 2832 mscorsvw.exe 42 PID 2832 wrote to memory of 1576 2832 mscorsvw.exe 42 PID 2832 wrote to memory of 2504 2832 mscorsvw.exe 45 PID 2832 wrote to memory of 2504 2832 mscorsvw.exe 45 PID 2832 wrote to memory of 2504 2832 mscorsvw.exe 45 PID 2832 wrote to memory of 2504 2832 mscorsvw.exe 45 PID 2832 wrote to memory of 2036 2832 mscorsvw.exe 46 PID 2832 wrote to memory of 2036 2832 mscorsvw.exe 46 PID 2832 wrote to memory of 2036 2832 mscorsvw.exe 46 PID 2832 wrote to memory of 2036 2832 mscorsvw.exe 46 PID 2832 wrote to memory of 2632 2832 mscorsvw.exe 47 PID 2832 wrote to memory of 2632 2832 mscorsvw.exe 47 PID 2832 wrote to memory of 2632 2832 mscorsvw.exe 47 PID 2832 wrote to memory of 2632 2832 mscorsvw.exe 47 PID 2832 wrote to memory of 1268 2832 mscorsvw.exe 48 PID 2832 wrote to memory of 1268 2832 mscorsvw.exe 48 PID 2832 wrote to memory of 1268 2832 mscorsvw.exe 48 PID 2832 wrote to memory of 1268 2832 mscorsvw.exe 48 PID 2832 wrote to memory of 2776 2832 mscorsvw.exe 49 PID 2832 wrote to memory of 2776 2832 mscorsvw.exe 49 PID 2832 wrote to memory of 2776 2832 mscorsvw.exe 49 PID 2832 wrote to memory of 2776 2832 mscorsvw.exe 49 PID 2832 wrote to memory of 1368 2832 mscorsvw.exe 50 PID 2832 wrote to memory of 1368 2832 mscorsvw.exe 50 PID 2832 wrote to memory of 1368 2832 mscorsvw.exe 50 PID 2832 wrote to memory of 1368 2832 mscorsvw.exe 50 PID 2832 wrote to memory of 1952 2832 mscorsvw.exe 51 PID 2832 wrote to memory of 1952 2832 mscorsvw.exe 51 PID 2832 wrote to memory of 1952 2832 mscorsvw.exe 51 PID 2832 wrote to memory of 1952 2832 mscorsvw.exe 51 PID 2832 wrote to memory of 2364 2832 mscorsvw.exe 52 PID 2832 wrote to memory of 2364 2832 mscorsvw.exe 52 PID 2832 wrote to memory of 2364 2832 mscorsvw.exe 52 PID 2832 wrote to memory of 2364 2832 mscorsvw.exe 52 PID 2832 wrote to memory of 2696 2832 mscorsvw.exe 53 PID 2832 wrote to memory of 2696 2832 mscorsvw.exe 53 PID 2832 wrote to memory of 2696 2832 mscorsvw.exe 53 PID 2832 wrote to memory of 2696 2832 mscorsvw.exe 53 PID 2832 wrote to memory of 1284 2832 mscorsvw.exe 54 PID 2832 wrote to memory of 1284 2832 mscorsvw.exe 54 PID 2832 wrote to memory of 1284 2832 mscorsvw.exe 54 PID 2832 wrote to memory of 1284 2832 mscorsvw.exe 54 PID 2832 wrote to memory of 1488 2832 mscorsvw.exe 57 PID 2832 wrote to memory of 1488 2832 mscorsvw.exe 57 PID 2832 wrote to memory of 1488 2832 mscorsvw.exe 57 PID 2832 wrote to memory of 1488 2832 mscorsvw.exe 57 PID 2832 wrote to memory of 2188 2832 mscorsvw.exe 58 PID 2832 wrote to memory of 2188 2832 mscorsvw.exe 58 PID 2832 wrote to memory of 2188 2832 mscorsvw.exe 58 PID 2832 wrote to memory of 2188 2832 mscorsvw.exe 58 PID 2832 wrote to memory of 2796 2832 mscorsvw.exe 59 PID 2832 wrote to memory of 2796 2832 mscorsvw.exe 59 PID 2832 wrote to memory of 2796 2832 mscorsvw.exe 59 PID 2832 wrote to memory of 2796 2832 mscorsvw.exe 59 PID 2832 wrote to memory of 1596 2832 mscorsvw.exe 60 PID 2832 wrote to memory of 1596 2832 mscorsvw.exe 60 PID 2832 wrote to memory of 1596 2832 mscorsvw.exe 60 PID 2832 wrote to memory of 1596 2832 mscorsvw.exe 60 PID 2832 wrote to memory of 1680 2832 mscorsvw.exe 61 PID 2832 wrote to memory of 1680 2832 mscorsvw.exe 61 PID 2832 wrote to memory of 1680 2832 mscorsvw.exe 61 PID 2832 wrote to memory of 1680 2832 mscorsvw.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe"C:\Users\Admin\AppData\Local\Temp\cbd7bac157b6055817c99402a1c482bf04e70db4faf34cd52a48a9ac4c111f82.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2480
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 1d4 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 260 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 268 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 280 -NGENProcess 250 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 288 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a0 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 280 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 270 -NGENProcess 290 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 220 -NGENProcess 1f8 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 284 -NGENProcess 11c -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 220 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 248 -NGENProcess 24c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 240 -NGENProcess 1c4 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c4 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1c4 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 290 -NGENProcess 1d0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1d0 -NGENProcess 290 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 224 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:840
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 258 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"2⤵PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 290 -NGENProcess 2b0 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 1c4 -Comment "NGen Worker Process"2⤵PID:2620
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:696
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1052
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:320
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2124
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1832
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1532
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1756
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2860
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:312
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2948
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1104
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2252
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2856
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:904
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1880
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5e1a4f563ed792ba68d665ed34744d946
SHA173d985bef679ffd38ca797972e81c0a67204149a
SHA256156e8b6805b3a37af83ed2494d43535f3c8e28379b3dbd5d6612530ed22bf3c0
SHA512dfe190685486fe381d7b783e6b1f35ed4989556d43af127897720a29655a74101e8dc2d78b94af7fe5143a188917117fdae03c1546f5b9de1a0136cc0f51dc4d
-
Filesize
30.1MB
MD530fbd54d02ad3047b707afb0dea6abaa
SHA15d8a872d9fe7db9f34a78916606eb54d646b0c39
SHA256808cb2458f9aee3fa0e2d7eb147d4220403602a507a29d1b0640141c5c4589e5
SHA5122c4d6248c7552a60f57f654afe3c0c66fc7dff402e15ff2d3543beb5e308606a4edf531d4cec55a6467f076aa84e7ef27c52d4ca56c432719b8addd069f26424
-
Filesize
781KB
MD5b004e721131bf2e3495f6e347dc14f8b
SHA1cd0966b20a878bb67c7520ea3003370a3ec5a592
SHA2565ed0ef34099603da0ee748fb498e9427eb4a7cb7359fe60249f4ad3f50560ec6
SHA5126ad3cba73d7d6771e3f1402b9612b62a2089e1d4c84acd6ea2a9586adc5b8c665da62335b6a730341b0bce90c0c6b5e22e5e4b5fc97337e27a76c72a4c6c0600
-
Filesize
5.2MB
MD512a2ea8e990189ac625dcb1c1cb6e626
SHA1975e7e7fd5714a31bc8470ea1749561539c5403c
SHA25634bcc6958b545d6b8ff5f474fdbb0985d7e924ba0c213cb68ea075561090399e
SHA512a8c51248685b29ca934476e78213b622546c5ca346fd9603a997daae3bff6f86ed6fd4b6628fd0636c44fc1629a736d0b029382d49f6052409276018d0dd7a3b
-
Filesize
2.1MB
MD586635603133ae0f0885a5688020ef349
SHA1094c3e73862afb7936e1daa6cc6a83556be83d0a
SHA2568a21e88b5fd6f8624a8f14d6372476aa953a122231284d457dca3d18e8546d68
SHA512ccabcccd7b7334dc184455b8ab545074424215e2181b487e2826513f2fc5771625eff15a3f46e307c26e5ca14b97064bc2635cf78ba9e400a6d75c6f6334b2ee
-
Filesize
1024KB
MD50b3a7eb6c9f30115d74e509f2e72821e
SHA19a1e5718d56ccad808b035f7b54f4b67a3d1ee55
SHA2565aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499
SHA51233846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5306cf7db2eebcd7be9b175969e55da5f
SHA1a094c8065c54f05c3c838df4f93d4b102a071186
SHA256a934c4fe9b77e4f16ac9722e7b47694e82a86f6b904ea3217754f017d9478d40
SHA512cecef8fa7655e9ad4a32686eb8a397e1c5edad8708c1e4171367fc53e26d69dd1b79400085a568b29db2b6b389ae20f2e67b71f5708c72c04351148bea593110
-
Filesize
678KB
MD5d0b587f15404ae188b300374e10724d9
SHA1fd0f45a56eba805ff3868cbe8008b3d081e225ae
SHA2562c41d936136ace65493fd5b57645c52451fea8c8b577832ec5361df90d75b187
SHA512661e3ef582f7dcc20af8c045598dc00f200b3b3c21ff3776a95d71e58d48b707bec638067577d0c24cc41727b9dd2a21d61428ae0735caea12e8eb6c2e7662a4
-
Filesize
625KB
MD5a00de6ee1ac2298857ff7be530c61957
SHA11c46d343087291ee1635cec23558a173359f514b
SHA2563fd45fa955d1b4f75c1d9295a7c98bd42ffa41df16a1c4b820e2ba72ff656712
SHA512eeac17cd70591b28e538f6f1a9cfb9d02838e3781919602d05270e4cf4dfad08a0b28e7f4263abca129ad1fcd79992b55d19cb25e3dd8738ea651af4de6422ec
-
Filesize
1003KB
MD5b783307e1b7e36c122ce1df773f02503
SHA17577baa18d2c31da3679d80b0934f592596fb84f
SHA25658847866a2f46e5c0e0cab1f35961ff9a416e0caac6d4777703e19642a7d4fde
SHA512fa7f04c70cab4a2d8cdd55811b40c1e9b0fc89cd377c6009321489400b65173548c7d9c1ce6d4027693b9436d7b7bbde487a5d0253583ec942af83269eee1107
-
Filesize
656KB
MD5d69f1ac5c065c6c8bd28034796d92b40
SHA1f62747aa7a39d9bb62ad337633a763c554b0e634
SHA256a9093061c933b6f3da6e1319f7f96517f518dd7268da685026f8cc6459ec6f9a
SHA5121d5f1dd2c5a2035bdb0d4cf8e98aa8a35094ed7c18664a2014d174edd9644b60e3c60962d58331783064a6834b257cabd884f746a318726daa65d2ebad12e45c
-
Filesize
8KB
MD5c70513760d0bb128cb68dff38ba2b83e
SHA110bcc5eac247c8696ef739c871bb6b3eed668c38
SHA256b8c5a2f4de8d74d86c1784a0c80b8e47e63bd4144282e86ef7b386622b74c7dd
SHA5122bfc3d4f9cd5f3c62a43c80e51c1ed6d2c9a4450fb84d97644870d5ecf58ba602ce94260831083784c3b5f545c8d6e8ad0c83600b08853c71fbde5da5b606681
-
Filesize
587KB
MD5fe30f6e6bca3bf68f7394798870c82a4
SHA1c7eda819cc21621d83932534184677790da3d5b4
SHA2564a40f09e538a3d1de85f4e7ffd46809f8846992ae9a476c3f84cd2d7f100a0e7
SHA512d85db7e750063f3f3276f03b97b01909eaf4aea95a3988e6b047f8b795cb5dc5fd6214951331969a71c9af1a0d92dda9f72d3dced7d6c935db3beb54c4fdb2eb
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
674KB
MD563c639630b728f4c86ca73af902a4c70
SHA1f54b308005bebf54bc19e02efe4a6de6687c150c
SHA256fb0010138075f01d71418b1a2630131e5c52ac57ca880ad20042ed188f89cb94
SHA5124456a89e5d373025c29010d5df3f743c406b3608a0aff1926b347679a7c53e331c503ac3c3ee19de292c37e62df2d97e7f3ce437d1bc9bb94c61c5aec062ea16
-
Filesize
1.2MB
MD51207a447716c7ec5ef99d996fe3f6489
SHA1302c32c0d40273d0a56e47c804d7c93b9a4ae63b
SHA2561b92e45f9b9b6223e45c4972aaef296e318314187a6ee0c9af1f5565947189e0
SHA512cff0d809c81f410cc9c3c7a5b1ba92bc179f04bd135918a4710ef1429c584b26936fef9c7a7b0ab92799b10ef6d865571881307ac00650f1b887033afdb6a0f5
-
Filesize
648KB
MD5edb63790bcfb1c297e406a27b2db997e
SHA1daeeef83643e2cb27c626f056f5c5bb66e6877f3
SHA256225aad1ea58e3ba48448f1077ff9adbbb726ce2863590869d4b7d724dd86b14d
SHA512a332f9429da3296960ba41d333f83af755c21b2d762016b96c3f144995880c3747e378001368f227b9d6d9bb4d7411e5003270123db50b9f651fd8e4b0ea2c81
-
Filesize
603KB
MD51586ffe1cbf872c57fe0aa93e2360b1d
SHA1b1945b28efdbd5f168b5301241c55509ba98fdbe
SHA256100b7230336885ba275da66c9a5413c93be53b01cc16fcf28e369d69c4a89405
SHA5129f9b19ac21f3a5d43afe9879f169f200ef66f1dd2536a6c5805852a97fee1d5a966993d8a61650cc36a5c1083e4c415b92b5227fb05ecd5c5e885aace5b8633b
-
Filesize
577KB
MD5256653d8d960d8708604f365569b22a5
SHA15ba2b4ad4ff1aacb7cc4773292a5abd1d628c3a7
SHA256a4d107b8ca7c132e7820a31cb80c6b680d922a12a0e81b97481054b4a63d76d5
SHA51264eff06cac995278055fcbba2d6c84bae3585382a765f315fd4819ad3b40e0881037a0b702f07e3f7f748c252444bee0fcb7c4950cc0f64be0faab0fc57d395f
-
Filesize
644KB
MD56ad5ecf3d9e8995835d84ec85f077a13
SHA1432e928feb0047ecb44f922ef84d336eb66b286b
SHA2569c97478e83023b1bde5fad8f0613775fd7fd2a1b504a64baf403c3e60c916e65
SHA512164b2f8ba656842954c06ca21b5c444779f9b57e27de92ae8e1bfccecdfc756e67441e2c20e27ca3268f49c9a19b1db15eacb593f65995d3ca93e0298e4ae275
-
Filesize
577KB
MD558c1359d5484b84b38cc1eb086cdfa0e
SHA161f4a1d4a6f92b5614eced2f62eb2d31cc2a25a9
SHA2564fd3cf6218ddcd738ff1c77c85880430aba88c97315f005c753da042c1bedef8
SHA5128934bd47010712bf63cedcb4ec275b67b63a33ef13955a7ddad42dc6816ba39b57ec6a8d9e68ddd3b4ce25401832466db983ff0f49ba1a9a610a265823f85bbd
-
Filesize
705KB
MD5a7a580f795070feb988d31a90b553ab6
SHA1edbf1b6f7aadc099fdec1fbb29da0753bf385d62
SHA256383b41a226319b0beb941f7044b093535bf20bcaa49d58e23867400e9f2cfca0
SHA512c2a8daa7fc398ce3d4d87066ed2b289916206c01df50aefddfb8be3ff1bd50f0fe8017b97d74250e746ed4318b9c455a0f6307321aebaf48e8422ead3eefb649
-
Filesize
691KB
MD5e72f3f3d20872a648718b3dfbdab402c
SHA19456f9d999154f0301bdd6248d2f66efb2908bf1
SHA256dd7c496737b1b8a05880a3b2b4ec679b9223d96e80ffec3e1032a0c8ad45133f
SHA512468756a390495b2b77fbd5c8ab51eec3af427125583d63edd1bb494712632876802f73b745c7de5aca494ad509ed4ce513433a18318e2b9ad38bff9fcb6b065b
-
Filesize
581KB
MD53a3774eae21cb7b39ab7686e89db4629
SHA1a3c46f31c6fdfebfafab13be4d7872ed4c4c5a06
SHA256421508ca90c523524d08fd4d9bdc2b6ef5711abb93cd931fd75d8ca7be4fa83c
SHA5128682631bab1bac7bfd8ef87c157f9b00b38ce00461249254d7d94c7e5dcd943bd94d04d0e060eb0dcc49b09cd38edac5d6918084e8a7656b453041ea71919688
-
Filesize
1.2MB
MD5084acff9c6da21b563e71e80dcb4033d
SHA16ae7ccd20f5f1b831bd437727a7326bf900a2b8a
SHA2567d5ee9639df1cce0f622c398821d24637606c1d669adaab5b36e769ebbe1e629
SHA512419350f505308cc44137d8725ddad2f8affaec7ac9fa7a6ef5502b7303ac8c9e83ea916cc855fa3bf77703c820895a58bc6b4196fc5c01eddb1e15cc99d6873a
-
Filesize
691KB
MD59172f2567d58dbae217fb7867b75b8d6
SHA1408214aaa379eda5ad1321ab252d25dfdc0624ae
SHA256f7309832f0792e190da9ecff1c7258b863f3e88ba32764a195cbdd06f4c611eb
SHA512e735ef312574244b4b3f5385080a995ba08bec924238a48c50c3b4c6abd6216f47a350f345068b5cfda2b679978b6e636c4c44892be124921ffd0b68b6f7d3b1