Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe
Resource
win7-20240611-en
General
-
Target
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe
-
Size
1.8MB
-
MD5
d46e23f53839ba5acad67adcc3005d91
-
SHA1
36609e8bedd3a36a1af8cb5141c4d1c3ff04bb50
-
SHA256
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8
-
SHA512
89b174c10d8e6037cb283809a77bf1260df0924b42a295474b8ba1a22735b876436447d891f5ac8ecfa196ec6428f497699b05ff6d71998e9515a3826e3caf2d
-
SSDEEP
49152:1x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAz/snji6attJM:1vbjVkjjCAzJqEnW6at
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exedllhost.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehsched.exeIEEtwCollector.exemsdtc.exemsiexec.exeperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 2600 alg.exe 320 aspnet_state.exe 272 mscorsvw.exe 1824 mscorsvw.exe 1088 mscorsvw.exe 1700 mscorsvw.exe 896 ehRecvr.exe 1972 dllhost.exe 1736 elevation_service.exe 2728 GROOVE.EXE 2612 maintenanceservice.exe 2536 OSE.EXE 532 OSPPSVC.EXE 2680 mscorsvw.exe 272 mscorsvw.exe 824 mscorsvw.exe 2364 mscorsvw.exe 1536 mscorsvw.exe 1544 mscorsvw.exe 2816 mscorsvw.exe 2492 mscorsvw.exe 2568 mscorsvw.exe 1616 mscorsvw.exe 1804 mscorsvw.exe 2332 mscorsvw.exe 1892 mscorsvw.exe 548 mscorsvw.exe 608 mscorsvw.exe 1160 mscorsvw.exe 2512 mscorsvw.exe 2772 mscorsvw.exe 1172 mscorsvw.exe 1100 mscorsvw.exe 752 mscorsvw.exe 2932 mscorsvw.exe 2396 mscorsvw.exe 1760 mscorsvw.exe 2368 mscorsvw.exe 1824 ehsched.exe 2680 IEEtwCollector.exe 2376 msdtc.exe 1960 msiexec.exe 2372 perfhost.exe 2020 locator.exe 1772 snmptrap.exe 1156 vds.exe 2784 vssvc.exe 672 wbengine.exe 2400 WmiApSrv.exe 2512 wmpnetwk.exe 2772 SearchIndexer.exe 2824 mscorsvw.exe 1072 mscorsvw.exe 2192 mscorsvw.exe 2172 mscorsvw.exe 944 mscorsvw.exe 836 mscorsvw.exe 2452 mscorsvw.exe 1712 mscorsvw.exe 1592 mscorsvw.exe 2876 mscorsvw.exe 2624 mscorsvw.exe 1072 mscorsvw.exe -
Loads dropped DLL 51 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 468 468 468 468 468 468 468 1960 msiexec.exe 468 468 468 468 468 764 944 mscorsvw.exe 944 mscorsvw.exe 2452 mscorsvw.exe 2452 mscorsvw.exe 1592 mscorsvw.exe 1592 mscorsvw.exe 2624 mscorsvw.exe 2624 mscorsvw.exe 1464 mscorsvw.exe 1464 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 1472 mscorsvw.exe 1472 mscorsvw.exe 2936 mscorsvw.exe 2936 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 2428 mscorsvw.exe 2428 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 2972 mscorsvw.exe 2972 mscorsvw.exe 2596 mscorsvw.exe 2596 mscorsvw.exe 1488 mscorsvw.exe 1488 mscorsvw.exe 2264 mscorsvw.exe 2264 mscorsvw.exe 2160 mscorsvw.exe 2160 mscorsvw.exe 824 mscorsvw.exe 824 mscorsvw.exe 1500 mscorsvw.exe 1500 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
Processes:
aspnet_state.exeSearchProtocolHost.exealg.execae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exeGROOVE.EXEmsdtc.exedescription ioc process File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d6a707a38ab55808.bin alg.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exealg.exeaspnet_state.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_gu.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_ml.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_es.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_en-GB.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_hi.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_en.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_nl.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_ms.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\psmachine.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_ca.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_am.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE aspnet_state.exe File created C:\Program Files (x86)\Google\Temp\GUM5763.tmp\goopdateres_pt-PT.dll cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe aspnet_state.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.execae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2617.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1120.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D12.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6D4.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ehRec.exeSearchFilterHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSearchProtocolHost.exeSearchIndexer.exeOSPPSVC.EXEdescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ehRec.exeaspnet_state.exepid process 1708 ehRec.exe 320 aspnet_state.exe 320 aspnet_state.exe 320 aspnet_state.exe 320 aspnet_state.exe 320 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exemscorsvw.exemscorsvw.exealg.exeaspnet_state.exeEhTray.exemsiexec.exeehRec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2980 cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeDebugPrivilege 2600 alg.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeTakeOwnershipPrivilege 320 aspnet_state.exe Token: 33 2008 EhTray.exe Token: SeIncBasePriorityPrivilege 2008 EhTray.exe Token: SeRestorePrivilege 1960 msiexec.exe Token: SeTakeOwnershipPrivilege 1960 msiexec.exe Token: SeSecurityPrivilege 1960 msiexec.exe Token: SeDebugPrivilege 1708 ehRec.exe Token: SeBackupPrivilege 2784 vssvc.exe Token: SeRestorePrivilege 2784 vssvc.exe Token: SeAuditPrivilege 2784 vssvc.exe Token: SeBackupPrivilege 672 wbengine.exe Token: SeRestorePrivilege 672 wbengine.exe Token: SeSecurityPrivilege 672 wbengine.exe Token: 33 2008 EhTray.exe Token: SeIncBasePriorityPrivilege 2008 EhTray.exe Token: SeDebugPrivilege 320 aspnet_state.exe Token: SeManageVolumePrivilege 2772 SearchIndexer.exe Token: 33 2772 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2772 SearchIndexer.exe Token: 33 2512 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2512 wmpnetwk.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1088 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 2008 EhTray.exe 2008 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 2008 EhTray.exe 2008 EhTray.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 2704 SearchProtocolHost.exe 2704 SearchProtocolHost.exe 2704 SearchProtocolHost.exe 2704 SearchProtocolHost.exe 2704 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe 1892 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 1088 wrote to memory of 2680 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2680 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2680 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2680 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 272 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 272 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 272 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 272 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 824 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 824 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 824 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 824 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2364 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2364 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2364 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2364 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1536 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1536 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1536 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1536 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1544 1088 mscorsvw.exe WMIADAP.EXE PID 1088 wrote to memory of 1544 1088 mscorsvw.exe WMIADAP.EXE PID 1088 wrote to memory of 1544 1088 mscorsvw.exe WMIADAP.EXE PID 1088 wrote to memory of 1544 1088 mscorsvw.exe WMIADAP.EXE PID 1088 wrote to memory of 2816 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2816 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2816 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2816 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2492 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2492 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2492 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2492 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2568 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2568 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2568 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2568 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1616 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1616 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1616 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1616 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1804 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1804 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1804 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1804 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2332 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2332 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2332 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 2332 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1892 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1892 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1892 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1892 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 548 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 548 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 548 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 548 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 608 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 608 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 608 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 608 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1160 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1160 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1160 1088 mscorsvw.exe mscorsvw.exe PID 1088 wrote to memory of 1160 1088 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe"C:\Users\Admin\AppData\Local\Temp\cae6bf323bf7065e3499df46bb5b60c982d3bbad48591c685fcde67af86f16d8.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:272
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1824
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1dc -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1d8 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 240 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 248 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 1d8 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 248 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 240 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1dc -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 240 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 294 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 240 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 270 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 248 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 240 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 298 -NGENProcess 270 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 11c -InterruptEvent 228 -NGENProcess 224 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 1f4 -NGENProcess 1fc -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 26c -NGENProcess 27c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 224 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 1fc -Pipe 218 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 224 -NGENProcess 1fc -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 220 -NGENProcess 254 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 244 -Pipe 11c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d4 -NGENProcess 1fc -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1fc -NGENProcess 220 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 25c -NGENProcess 244 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 1d4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 220 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 220 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵PID:1500
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 270 -NGENProcess 1d4 -Pipe 1fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1d4 -NGENProcess 264 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:2308
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2a8 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 25c -NGENProcess 270 -Pipe 2a4 -Comment "NGen Worker Process"2⤵PID:2172
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 264 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:1824
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2b8 -NGENProcess 270 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 270 -NGENProcess 248 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:2364
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:1592
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 248 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:1668
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:1052
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:1120
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:2028
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:1868
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:2936
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 258 -Comment "NGen Worker Process"2⤵PID:1084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2444
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 258 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:3004
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2920
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 258 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:2876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:1540
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 30c -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2056
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 258 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:1464
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:2524
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2900
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 258 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1868
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:1744
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2212
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 258 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1600
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 30c -Pipe 32c -Comment "NGen Worker Process"2⤵PID:884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 258 -Pipe 330 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:1872
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 30c -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2444
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 258 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:1712
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 308 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:2360
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 30c -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1484
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 258 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:2568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 308 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:1780
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 30c -NGENProcess 368 -Pipe 350 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 368 -NGENProcess 29c -Pipe 36c -Comment "NGen Worker Process"2⤵PID:436
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 358 -NGENProcess 354 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:1392
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 370 -NGENProcess 364 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:2624
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 364 -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1896
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 378 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"2⤵PID:2024
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 258 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:1692
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:896
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:1972
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1736
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2612
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2536
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:532
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1544
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1824
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2008
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2680
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2376
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2020
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2400
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:2080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD580b1555c7913ab21f19e109b148b29ce
SHA1ad3b1d6fa4235432865296a74da93d76fd449c4f
SHA25658d13ae0069f38a62d74eece7896d88e6a501a61adc5d0711c1a50637afd4765
SHA5124152d220c9c34f146ea206370f86a5b1ff19ae24f696e143cf65523e27048e80347cb595d8effdbfa03be5f4113ec299d532b79ecc7f33abe1d38f3a716b646c
-
Filesize
30.1MB
MD5a3f1ed25d46ebdab376919905bd45451
SHA17966e24ea6ed1ed69c439f66a9ef643d27d84c01
SHA2566efd983f3755ea0d73bfcec8f30141a3339ee8d42d2471b1b12e052baae55b75
SHA512d8553887ef2f69add1462be6b28577ad9d2933eef358c993dac3c20113f7b0dd477ae9bff7884c2cdd230cd30b49ffe1cdc43e17042f0210e109f7044f07483a
-
Filesize
1.6MB
MD58ea2cb19d7b2c99008633757520297ab
SHA1cdc17119b287aa174d46bb9f30aa9969e20fe8a7
SHA256ae1ed48fe00a1adc445baeebcfd1ca8a018502619acf57450ab13112ca43a430
SHA5124e5d756e1bd15b063a56bc1a9340cc5bea79883df0426380de08acead4598f7e2dda42de1729a4ff6973b8acd7654a6089e203d51434bef010ea931f2aaf6b50
-
Filesize
5.2MB
MD50039119e6caede04b64a9159768ea8cf
SHA1b8e3d60a01c7ae115a38adcf87146e00cd62cab6
SHA256167430e82fe0a024c0577e39219141f2809c6a52b26b56c69bc4c8bec9372980
SHA512c49c2bbe9b6f6022fb27f87f44aa43f51770c1c2c8f86ae4925c341bfb57579ccb45012eaf8f8bb20ebc2e011c4dee5a7f7aef16f0eeaadd90fb75e25e52ed8b
-
Filesize
2.1MB
MD59dc06be513de37503b4a698adb62641c
SHA149ff414cae6afb7bd9c380c7fb4fe7e3971cf235
SHA2564c508b9d552d3c13fdf533488dce6ee57dc3ee5c62951cdc72206919749d7de0
SHA51203511796fd92860674ebb72b3a031a926cf51e492ad7a93228693091efaa6f6dce035e584342f8f7d88b9b264f1d8fb74c370147dedfb71b11876ec2a31534e9
-
Filesize
1024KB
MD5b10f79a90139977b22e43f22d7fbb19d
SHA1a5cb234428fbc646c2baa741c47bd9da05194138
SHA256621cbf8de56655c1d3deb588b0496ae3dc201f9d1be76fe4e4b14cca541b06e3
SHA512fc21f79adc7fa0fde3188f9d1e27494bc3f13fcb04e10173e179602476b5aaa09a854737012b903e9f2ae8750fb54ebe06a0c45e38d1780e30fc6e637d18d8c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.5MB
MD54f8a5e5f4b8acb5c6cbac53feafb2778
SHA12ad250cba73abdbcde6819910f49e5fcf1403f90
SHA2566a5accc36ab2139b38ae768801faec4339d1eae4b5556ebdb5e85da2ec47266b
SHA51227f8a3c19bfe0aed8a522e4c36847aa9b8cfc8d9cd5276be385f6e7fb76406eb8ac853911d13cd478d2051b5077396683282a4958d16b32104fa52528cfe32a4
-
Filesize
872KB
MD5c71565f8da051026b495d884070c9165
SHA10a7067421b33a375e81eea25a2f97c3140db9d74
SHA256d1225473b66a48109ba31324e2097dd06297240d51f15f36ea9d10f9e1f77d97
SHA51236041d368d58037094b43835422cf179d903a4f7218cf5c894ac46b2269411793f2cf118a88f0d3d8657387ab163bb2fbf13324cc2f4886aedf12b85f2fa6424
-
Filesize
1.5MB
MD5b552b5badfac81d54b4904f86db0444c
SHA1f49418d711121cb3ce97de743b148b54e2ce40ec
SHA2568c123c76c157bd4bf207a9fcc3f7864bdee0ef3d865afca3a40b68f5d436b586
SHA5127e9c54b8137711724c897f4a7745c71453f7586ff707847da603796634c3a966cf79519c745029c0879740b6903bdf9a17039c497c7d85c7f656710066eccabd
-
Filesize
1.5MB
MD580ae0d4473ac02cff343897ebcb3bc6b
SHA1691e6a75d255fa92ff6067f50afd256e572b07a3
SHA2560a2d035a32f7c5982c1409f76e100a2abc78badda732fbaeaea3677e34929869
SHA512f7413b4ea60b02747dc342c441f6f48ac9e3ff9568f63703af8909acf68b816317a147cbf8cf81b24a5b5823211a28ae1e1f3be0168eafee2878d3cc41657f32
-
Filesize
1003KB
MD52dbbaf6b431d6a0a1e89807f13f12da0
SHA166c8c86df9cf399da7416535edb0d1fc228ed6c4
SHA256b1b4e0d60fb85c92af8a468028e966baec48985d9ca403d6bbb9978af2141eeb
SHA512054333b819cd4d38442041ec0762cd5c458efb633496dfe4c58b516d35383ffb2f4d5157b4d36b6f35b9a1a8744ec2d6c823942560014bdf81f04db2916c6eec
-
Filesize
1.5MB
MD5dd6457ab2227f092ce62174a7282731d
SHA1e08da6df64f350a6dcee5f3f56fcabf58d9cefcb
SHA2565b24e66ec7a009b3351ecc76f5b2ff41b95042f588b981b2ff8f113f5938c645
SHA512437df997b76e5741ec9e91ff1cd1e3b3b0409f8dab182b2300504f865c474551a064acdead7b405dde9e2aca4c315e1e317ee438e10047d094dad0aba6cc7be0
-
Filesize
8KB
MD57585da8b23a1bcdb854fad7805b54022
SHA103a4e2d7d44db37540e03cdfc92233c54d503dfd
SHA256f3ec1d0fedb1c34e67eac475ecbb429633e49bc015aa697ca0ca8ccebcfe2284
SHA5127fa652c541bea4d3f45d9a0db125518c1db893941590b60c4e7a30fa125a1347c6263fc0bdd954ea127b5f3b9e275b72983d1df48799fb5dac979d9aab8914c7
-
Filesize
1.5MB
MD5857d56fc82c67de1d42c9344feaebfc2
SHA11e200f4249ac4737e1a4ae0f801b11aeb2cd54f5
SHA256a976527b6f3db98a48c8c9fc68aa218fc0e5a9f85632c8d2817f117d575c89dd
SHA512456c74dce1f5ebf0cc730fc4987bc2c6513f3e1f70d976776cd48d1eaa35e26bf7008a5ca2053dab4db15aed7e9a2032cb93614f69c5a9ea49896585ce48ae8f
-
Filesize
1.4MB
MD51ce38c3a9d70de404bee430acf6722c2
SHA13d1b5f0f3e1143ad1b69526b7fa5ffea6426ed35
SHA256e94663958bfe759f047b86618eca9e34acbb7c57c5e7bc3a4b6316fe4f48241d
SHA5126921661af026f56ba6bc4844dc60342280870deae99bd2da9353929999768ff0c2ab9a84361dc9fec3b5f27a1636f7f52f90f163f7c7f76b9e7cc9a8610129ea
-
Filesize
1.6MB
MD53634db6069b76aacfffe94897c7c26a6
SHA1fd9429c12823bea04d050f1909132a0a972827b7
SHA2564785fd618dd20fd7eef7a5c69ea02257a4d2363917aad3ebd420ba21873bb648
SHA5120d7f267a14efd3660c61a9e0e05fce3669d9c69872efde41366468b731ff14e729b21c7da2c7fd3bf49c261da28b7b43f5bb8a0409d776b0eabb27cbeb548e9a
-
Filesize
1.6MB
MD55440f0e1ff3dd656bf01ed4bf4b80b9a
SHA1837c02a56ebe557b1850abbdfebcff4886dcb6dd
SHA256aa6a778ace6737a28be5b05f0de26e3c7c60a12c3fac612bb8e8856e28ecf50c
SHA51207f3f074189364f817db420ede87d5a6a1150eca9a5c28c6cfb34d81578fa0beda9e7cdd6c94cd9b3803d281e6233bacd917974c10a14c4a851b178fdf26d2db
-
Filesize
1.4MB
MD56f837455bff52846536e560e4322d368
SHA1eade2a21087909b4c50b4f98b0c1c7ec339bbd1a
SHA256aea9ed24432684826c5af14f83cf87d298c40d21abae5d1b257cbd7aee141a59
SHA5123ab1bdd0a1fee15ac8c1082859ddf63b914b4f7886838b463e8d58ad19a5554583c7af11e0529a9a35d53b238680b8ec40205f2e8eb97ad3906a7d6ee3e4b0d1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4cffbd6c354740026d7a3a29dd63e3bc\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD51fa4c663eb7f4f3f5e7547c8d2849c90
SHA17a2e4dc0eacfaab69d5ddfcbf9fcec8ff55b035f
SHA2563febbc6242bafabbb51659ed696758cc75dadcb7ffc8217b8a032590d97d9166
SHA5123a40a81785cf707abfb6b5f88b98e6cf413391b4098d1199a1cb7f030fa2e45c3c8502ae6baa7ff56f1476ee700d5f126c14a99433802a1dd328cd66bd9dfdd9
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a6507273bdd91590aa129a61ca92a131\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5ce5a621a78d7dcd08ff8ea894c827abf
SHA174388ed8b719fd3af29c46ca91a8f0deeb589445
SHA256375b75ace0d33e26077b08cf114a6b428d1d80464c6fd0be24b8e402aadb02e6
SHA5122153018344bbeef7cdc49b21a05f7f299d5c62ae0f1b3a35fcab436b7be5975d74451224d4c40fae7a0caaa5f664c0dc37d63e9b036872c542244d9c1a04b463
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d105fa036159601f42c400bd00fa761a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD50fd118e5c968df8d87568f0f35e60ef9
SHA150a49be4a1905912083d82458a1f6a1df8913698
SHA2567c8d44d3cd21c170389dd9d8eaf5fe9c5d400756664691a177573df2cf7136a5
SHA51297b6e34b132af7bc8123b147fa168df56bbd422e36bbe6433acbe737ce060927d57f79d5af118805edd21f5d77e9c0e24e69dd8cb10d9fa4752171070583f8b0
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e437943a7d58a6ed05e6767c7c8f17ad\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD51672aba1b8e4ad406d53f9934d5359c7
SHA14c3c77e67edd7ce121a54157a3d4553100f2834c
SHA256a5327323fc132941d2f9bfda6aae03edff5dbec957e2479878ad242896f7e00e
SHA51296f54ff1e6d71b5a0af77f92abf0feed6fcc6d73bb8b9c9b551678f86264cc9bf308d7c7774a848fb5159dae0889b56c665d3ffce5cd8456625ec1c14da9333e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.5MB
MD58f5a59be45ed9b9ad29dd54d4e0d06ed
SHA12c0201b2584722e1188557d7c54e4e2728c50ee4
SHA256c821fd0c5afcf496db3d4432da818adc358a016bd922c9e6fb662f0c9f96577a
SHA51251a55273988aa3e1000093ea68d5b32888466573af0c8511e3c7ff91fc6437c76e9b113c3b67cd7689ccbe6d7dac34ed7baf9deef918dbf74d994e16a8234c30
-
Filesize
1.5MB
MD50ef35fa1f8ee6150ccb18a0b82b9e48f
SHA15c25ed13a20ba8f794053c0020523f51866a2378
SHA256ca4c162093f98e2be3ac216ed9be8ec1e02d1d16b4fe32c7a9d0f3f97753501b
SHA51246b2cab2859ad9f8a7168ce1cd79fb1877b83fcc9c54beec86c08c18f96456e94ef247fbea2455f09803214e78652936d11016e6c4437e32d91aeae2619401d8
-
Filesize
1.4MB
MD5f158e630fd259eb167a8ab7abcb8a3ed
SHA1efb27b95bc49fff773d1019806787b127347435e
SHA25664e3a13d5411b34c292a0b7702d87d647a07e4d612b7f12e728e252aa03b5de9
SHA51268baedb108512a38ecf3e70fa9d27af13fd074f3bad9f8d3d9a3e22f8f0a7ffa469b555e496a5898fc665f14616c5b9e9706654944a5765f1c0b0e735218db69
-
Filesize
1.5MB
MD597357202e6cf6f650744665ccb43701f
SHA1b3c414086186957265e9691cbb716c5a32db9f75
SHA25632c6fa1ab3c20603407141df8daf39b8322508690263d3ffc64cbae1635979a1
SHA5129e69b28f6789ac77d166502512389466bf103c2f7208019f866f15d3ac15f2299a4ff79a7b233cb3424d6473cc3c10a53ed2b6ccde3c3904d29b9b65d1a0baa3
-
Filesize
1.2MB
MD531564dc0fee3b5c2862f8ef835663991
SHA17df2479c6e80623c7cdb09418015d28ffb4980a7
SHA256cb56425090f98d6d83f1e008c05f32c92c4a350e27f24d63f85240afee08ffb5
SHA5124e2f51afaa20cf91f3299af22885921979afd256915613e2fac8dcdf502a7ee6c87d78f19d7eed5e49a7fba0b63c16f1ea78bfda79905ac267ac9ec8c4fd12aa
-
Filesize
1.6MB
MD55aaea3955ef9298c038a0958fab0fee0
SHA11cc52cfbbcc760487d057360e3c42dd28a7b6c9a
SHA256a29e1bc544eb2a7c022e4ce26998dd2d6dfdd6759830fdf4adf3f0184622fc63
SHA512f688fc3811b40c9b761d8c7ede271a8a5a637c2036c46d4f10e65a25ed9ab37ce1d91f0bd2751de2137f0b92c8e8d10c9d7e482ad48eceb1c25eadb925d8002f