Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20240704-en
General
-
Target
Quotation.exe
-
Size
3.1MB
-
MD5
aea0e096d1dfd0e4408d822f828f72e3
-
SHA1
b69ce5621a2259c671e51f53aa88521d18dadbc0
-
SHA256
c6474419259677bfc2d0972306eea797f3decdcf610cf8444aef2f93bf664a31
-
SHA512
5cd5d8d81f0e306278e1fd9810abfa36f5ad429c31d908a7b6de96f0bbf63246bd291ae5d926ea1179474b747df2beb019da354afdce8d6382e8383320d377f3
-
SSDEEP
49152:uCVOkfUWQZSZlnphMfeuXcHDb31Ux0fvSH0eLnrhtdDL8:uCTqSZFHVG0SphP8
Malware Config
Extracted
remcos
RemoteHost
23.95.235.18:2557
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E0JKXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2788 alg.exe 2348 aspnet_state.exe 2944 mscorsvw.exe 2672 mscorsvw.exe 872 mscorsvw.exe 2144 mscorsvw.exe 540 ehRecvr.exe 1988 ehsched.exe 1820 elevation_service.exe 1340 IEEtwCollector.exe 1568 GROOVE.EXE 2276 maintenanceservice.exe 948 msdtc.exe 2668 mscorsvw.exe 800 msiexec.exe 916 OSE.EXE 2876 perfhost.exe 660 locator.exe 1484 mscorsvw.exe 2792 snmptrap.exe 2896 vds.exe 3064 vssvc.exe 1036 mscorsvw.exe 1144 wbengine.exe 1724 WmiApSrv.exe 672 wmpnetwk.exe 2756 SearchIndexer.exe 2256 mscorsvw.exe 2912 mscorsvw.exe 2360 mscorsvw.exe 1744 mscorsvw.exe 2340 mscorsvw.exe 2032 mscorsvw.exe 2600 mscorsvw.exe 1684 mscorsvw.exe 2856 mscorsvw.exe 1232 mscorsvw.exe 2716 mscorsvw.exe 2432 mscorsvw.exe 1316 mscorsvw.exe 1768 mscorsvw.exe 1700 mscorsvw.exe 2100 mscorsvw.exe 980 mscorsvw.exe 1364 mscorsvw.exe 2576 mscorsvw.exe 860 mscorsvw.exe 2496 mscorsvw.exe 2032 mscorsvw.exe 1884 mscorsvw.exe 1040 mscorsvw.exe 3016 mscorsvw.exe 2636 mscorsvw.exe 1668 mscorsvw.exe 1776 mscorsvw.exe 1380 mscorsvw.exe 2244 mscorsvw.exe 2164 mscorsvw.exe 1760 mscorsvw.exe 1036 mscorsvw.exe 2816 mscorsvw.exe 432 mscorsvw.exe 2952 mscorsvw.exe -
Loads dropped DLL 52 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 800 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 748 Process not Found 1668 mscorsvw.exe 1668 mscorsvw.exe 1380 mscorsvw.exe 1380 mscorsvw.exe 2164 mscorsvw.exe 2164 mscorsvw.exe 1036 mscorsvw.exe 1036 mscorsvw.exe 432 mscorsvw.exe 432 mscorsvw.exe 2276 mscorsvw.exe 2276 mscorsvw.exe 2256 mscorsvw.exe 2256 mscorsvw.exe 2244 mscorsvw.exe 2244 mscorsvw.exe 1784 mscorsvw.exe 1784 mscorsvw.exe 1380 mscorsvw.exe 1380 mscorsvw.exe 2636 mscorsvw.exe 2636 mscorsvw.exe 1832 mscorsvw.exe 1832 mscorsvw.exe 1120 mscorsvw.exe 1120 mscorsvw.exe 564 mscorsvw.exe 564 mscorsvw.exe 1612 mscorsvw.exe 1612 mscorsvw.exe 2560 mscorsvw.exe 2560 mscorsvw.exe 564 mscorsvw.exe 564 mscorsvw.exe 2204 mscorsvw.exe 2204 mscorsvw.exe 1232 mscorsvw.exe 1232 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe wmplayer.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe wmplayer.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\system32\fxssvc.exe wmplayer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\SysWow64\perfhost.exe wmplayer.exe File opened for modification C:\Windows\System32\snmptrap.exe wmplayer.exe File opened for modification C:\Windows\System32\alg.exe wmplayer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f477f8d9d264f17b.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe wmplayer.exe File opened for modification C:\Windows\System32\vds.exe wmplayer.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe wmplayer.exe File opened for modification C:\Windows\system32\msiexec.exe wmplayer.exe File opened for modification C:\Windows\system32\locator.exe wmplayer.exe File opened for modification C:\Windows\system32\vssvc.exe wmplayer.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe wmplayer.exe File opened for modification C:\Windows\system32\SearchIndexer.exe wmplayer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2532 set thread context of 2832 2532 Quotation.exe 32 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe wmplayer.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe wmplayer.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE wmplayer.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe wmplayer.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe wmplayer.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe wmplayer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe wmplayer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP39C6.tmp\ehiActivScp.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe wmplayer.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFF46.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1065.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF92E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe wmplayer.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP944.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe wmplayer.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020e2c9c821efda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1312 ehRec.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe 2832 wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2832 wmplayer.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: 33 1028 EhTray.exe Token: SeIncBasePriorityPrivilege 1028 EhTray.exe Token: SeDebugPrivilege 1312 ehRec.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeSecurityPrivilege 800 msiexec.exe Token: 33 1028 EhTray.exe Token: SeIncBasePriorityPrivilege 1028 EhTray.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeBackupPrivilege 3064 vssvc.exe Token: SeRestorePrivilege 3064 vssvc.exe Token: SeAuditPrivilege 3064 vssvc.exe Token: SeBackupPrivilege 1144 wbengine.exe Token: SeRestorePrivilege 1144 wbengine.exe Token: SeSecurityPrivilege 1144 wbengine.exe Token: SeManageVolumePrivilege 2756 SearchIndexer.exe Token: 33 2756 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2756 SearchIndexer.exe Token: 33 672 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 672 wmpnetwk.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeDebugPrivilege 2832 wmplayer.exe Token: SeDebugPrivilege 2832 wmplayer.exe Token: SeDebugPrivilege 2832 wmplayer.exe Token: SeDebugPrivilege 2832 wmplayer.exe Token: SeDebugPrivilege 2832 wmplayer.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe Token: SeShutdownPrivilege 872 mscorsvw.exe Token: SeShutdownPrivilege 2144 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1028 EhTray.exe 1028 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1028 EhTray.exe 1028 EhTray.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1736 SearchProtocolHost.exe 1736 SearchProtocolHost.exe 1736 SearchProtocolHost.exe 1736 SearchProtocolHost.exe 1736 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 2556 SearchProtocolHost.exe 1736 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2404 2532 Quotation.exe 30 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2400 2532 Quotation.exe 31 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2832 2532 Quotation.exe 32 PID 2532 wrote to memory of 2892 2532 Quotation.exe 33 PID 2532 wrote to memory of 2892 2532 Quotation.exe 33 PID 2532 wrote to memory of 2892 2532 Quotation.exe 33 PID 2532 wrote to memory of 2892 2532 Quotation.exe 33 PID 2144 wrote to memory of 2668 2144 mscorsvw.exe 50 PID 2144 wrote to memory of 2668 2144 mscorsvw.exe 50 PID 2144 wrote to memory of 2668 2144 mscorsvw.exe 50 PID 2144 wrote to memory of 1484 2144 mscorsvw.exe 54 PID 2144 wrote to memory of 1484 2144 mscorsvw.exe 54 PID 2144 wrote to memory of 1484 2144 mscorsvw.exe 54 PID 872 wrote to memory of 1036 872 mscorsvw.exe 59 PID 872 wrote to memory of 1036 872 mscorsvw.exe 59 PID 872 wrote to memory of 1036 872 mscorsvw.exe 59 PID 872 wrote to memory of 1036 872 mscorsvw.exe 59 PID 872 wrote to memory of 2256 872 mscorsvw.exe 64 PID 872 wrote to memory of 2256 872 mscorsvw.exe 64 PID 872 wrote to memory of 2256 872 mscorsvw.exe 64 PID 872 wrote to memory of 2256 872 mscorsvw.exe 64 PID 872 wrote to memory of 2912 872 mscorsvw.exe 65 PID 872 wrote to memory of 2912 872 mscorsvw.exe 65 PID 872 wrote to memory of 2912 872 mscorsvw.exe 65 PID 872 wrote to memory of 2912 872 mscorsvw.exe 65 PID 2756 wrote to memory of 1736 2756 SearchIndexer.exe 66 PID 2756 wrote to memory of 1736 2756 SearchIndexer.exe 66 PID 2756 wrote to memory of 1736 2756 SearchIndexer.exe 66 PID 2756 wrote to memory of 1680 2756 SearchIndexer.exe 67 PID 2756 wrote to memory of 1680 2756 SearchIndexer.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2400
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵PID:2892
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2788
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2348
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2672
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 250 -NGENProcess 24c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 23c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d8 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 27c -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 278 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 28c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 28c -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 204 -NGENProcess 208 -Pipe 200 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1884
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 254 -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 228 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 208 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 230 -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 208 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1380
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2164
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 230 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 27c -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1036
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:432
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 28c -NGENProcess 274 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2276
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"2⤵PID:1616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 26c -NGENProcess 27c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"2⤵PID:2668
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 204 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵PID:1560
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1784
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 26c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1380
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 26c -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:1604
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:2772
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:556
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 26c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2212
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:564
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:864
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2340
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2560
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 248 -Comment "NGen Worker Process"2⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:1776
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2cc -Pipe 258 -Comment "NGen Worker Process"2⤵PID:2940
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:564
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2204
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:3036
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1232
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:236
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2e0 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2208
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:756
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 304 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2e0 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2c4 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2e0 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:2596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2c4 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2e0 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2c4 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2568
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2e0 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1752
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2c4 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2600
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 304 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:1340
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:540
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1820
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1568
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2276
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:948
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:800
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:660
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2792
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1680
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51341ce4b75e12bbaeabf67db7f33112a
SHA1e61d5043742bb98ca44f6c2391700892e5a61cb8
SHA256e98062d1e6e6cba3ae1d0126f4ec184bcd51b49e49138b28de9b277a64f181bf
SHA512c1840ba4aca48f7889c73127ea062a6af131deb191fd073ba17b1fb4eb5d566c16282806debb45e802edcec775bee7de84b91960731873d42efc7b586fb1ab31
-
Filesize
30.1MB
MD599c83f4260d5a838583bf6f306cb0aaf
SHA1eaba8b1ce56d4ccf7f75c171142e072f392d2b02
SHA256c035d58f042b7721a44498050502e6592d61216a8dbec39dad78210dd11f4d60
SHA51286c352a7855341ac6b03daa458a8e3d0f743108e1a2a81f57e66866bf1657ffa55394e1032d5ddf381387b661c5245663ac0eb9ce99da38b0bc168ef18ccc04a
-
Filesize
1.4MB
MD5a5f057b825148693a0afb61acbc73d02
SHA124a01e159a6925054ff6d9c128396ada08b791c5
SHA256cdea8b6aeca7efc073fab189eafa7cdbbef26463528f8abdb79e8ab484c62e9b
SHA512fbd788964dcab6cb7ec68d3a629729753811c8216845739e685b2acddd9dbe65f727d3e15e2205ff5fe36683b77e2ba9dae6d7756f2655fe6f88498288964c9e
-
Filesize
2.1MB
MD554b333156c79d3993045d6b52b915f01
SHA114c84b042c826a6fdf5f90d64409afb9e08d3dfb
SHA256f2d3540d75e6387af3b65731b5246890e8cf3660126fd95d752594374e019d2a
SHA512bed6e326e08a4b61f1d5c8365fef1e28679222151fc786f8b9565315d7b9c5eb71618bd7330c197cf9703ccb49bb5505431656cc2221df7d9f9978687a33c6f1
-
Filesize
1024KB
MD5d10c27f59dfdc972c4de635687df4614
SHA13ebd0ac94d845bca26c36a05e3a70f75561fe3e4
SHA25671636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65
SHA5124c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c
-
Filesize
872KB
MD5e1616847df4d086519464e105d0d6f91
SHA16e068621df45f029457bdbbc73230afbe86be18c
SHA256b891d1705354bd48257942042941fe86b34ae2827553e9dc099bad99e38c1a5a
SHA512c662d087a4637b9f5152a555d0db685bd0e93af53af402d450376228cf9abc2baeb39d991f7373933fed2d3962c38cce81407a62c6f0b0dbc870c1794b91e946
-
Filesize
1.3MB
MD5047c6dd4e1da87a3a18daa5dc7910264
SHA1465276eaefec22cebab50836255820bf142d55fe
SHA256c15451fec0c59009b6893332b10b2b4bd6f86a50449caf6036bd468710fb2b4d
SHA512e917f14770ac0a5f453c189064d539b021693ef28e3ece8eafd743401823597a0c896104831ecd2b3936b52ff644aff087b97a3ab224dcd71886d7ddb32d3165
-
Filesize
8KB
MD5b44995b1b0c5eaa4395f45657a1b4e8a
SHA113e8941b0b1fec1834933ebcdf09e50223c19f73
SHA256f599c123edf76ebcf192b0d1e323693751336b918aeb7768e8cf3c37905d1139
SHA5126302814f56ba2aa0e00446bbe8b1a7b7b369337643be1458a4080c1d440a4a34f87aebfebe9e4fe5ebaf7f6baee27ce4245f88500119de6383b4760ebabe92d5
-
Filesize
1.2MB
MD5e13b9ba3321289e0d8440811df0cd917
SHA148bceac75eac699ce8e0863897206b7df129fcf2
SHA25641da5369c5628958f15d398240a1af1ad14feacc7cf01de8858307ee1af7b574
SHA512a7a87af3903ccf5d33ddabfc2ebd82b812a4cdbf2a69ffd2e8e14d9b011318371bf4e40d7f1c2590123b0d262373f0cbb1368ceb83305e08955069cb1c6c35a2
-
Filesize
1003KB
MD51dbe038fbfb3063d24b9de4874694d5b
SHA1885036c2118a6553dc866c77f0ea9737ff308f04
SHA256711d14108d131ad88abd45aacfa66315ac23e730756e95c04ff3e6f423a5ffba
SHA512dca2abb01167d9e56231c594f18a40b3ed9dd44449f74aebc925aa6ffb9836231bf31e01c7ff20974bc8a5b80e0294ece05d8aa59b1bed53d925b15395939b5f
-
Filesize
1.3MB
MD5c9737f6649da814dc40a362fd16a436a
SHA130d3787f480b97a2a7906890f4b24a721e080753
SHA256d2bc3b5f71f6b55da3fcb46a7b5005b74aaba7e193bf4679930987a5e82c0bae
SHA51290734c51ee79b001c389cafe8aa9f401abb1abbb37740410be9a8308ee68b2f840b13c15f853be568b385b64fb32a612545dc2d8b1ea63d14e1ee567d42499be
-
Filesize
1.2MB
MD5f6b8f7048458affe93a679ef92c73a48
SHA17d3bbd1fcfb93dea453be11c16fdbcc4ac2ee618
SHA256084132ad2350df77e0f96367b9b9df26ce86495d0c731238de231e36118753f6
SHA5128ed05b04e1c0f466af8d5b649970993f57a77da9e7903643be98a5c5e54a2ab00dbf9058edad25b222eb1f467367a06e1d169c098426d1fdee6316716a2daf5e
-
Filesize
1.1MB
MD57f86ddb26a34505bfb7cf749cba5f7e1
SHA115bd469d4be72f3cc5de95db7a17b6ab5781b291
SHA256eaa1f8ddf24b1a694d962e4c352ca2ad2241815645d004e456ac0ef7bc3202f0
SHA51276d627ac5426d9404c445f15c2cb179eb884a96f57bed7aadc6641a809603e0aa97d20a95bd42db5ccb8066c60199a5efe79a4f18eb97b1841e4ef592caae9f9
-
Filesize
2.1MB
MD547bd4645450e9ff3f9868f7393e02429
SHA1961e92676385d5ff420b76f07e32bb1d21bf44e7
SHA2560e0c6443315c1b4153efdd4da06bd40566648720d84ae22ab638623946027fee
SHA512010bef01e0f9566e8938157813b64f94cfec8d5d6c2acce69b6ef610e7ae9c634c6f879cecae0794d5f39c707ddf3441f5572ff8fdb763cd004019a0aebd83b6
-
Filesize
1.3MB
MD5e2c0470b754ae56d3bac421856756caf
SHA15e811e8004777b8449ea6a16a338f608137c6d24
SHA256adc43d7243833b901ea1b97e53c79d55fe8092611b754b8d6c63dec9b4369db3
SHA512ebd4c7051dc8aef45f54f6ce8f17252d842064d28ec7d9fd21289003ea47feaf16d4d38435cb485bd6aed1d764fdc9560d2c0de6e2d979e423da2d77062cb7d0
-
Filesize
1.3MB
MD5658918c66d65064094b17f0691199b3d
SHA1a902e1a4ac821a74b30af786280f635501ca1566
SHA256d1efe3a955ad1cc6d174d2be05cf6570c58bca8d85eba2c7b585258fd50104f2
SHA512030947ea3f46d618dd2df1f7fbe4327e0b50544522f942b90e1abbc9d785350f0ac8bef69718f0dcf72d8a85abd82f3057b932f5eee781989843747fa1fbcd7f
-
Filesize
1.7MB
MD55c92ae4304143cb033c309267633a79b
SHA1f5e6fdb4f97de6a8349426782046bb6cd1baaf21
SHA2568888f7aa177397fc4627c31e7509d54f71a30cb3c81449ee200622b7036edc6a
SHA512dba7b9cb7f04f017a7d525b65b88b5070646d60d6aaa54ce198bd067ace1e0539f9d8049f59fce1d24932cd00f9adadec9fe8f376295603a43516046e5acd9b0
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3f489f0b3599f90308412d23482c08e7\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD53150343a93c433999bd31a2266844d5c
SHA15ea0d2aeaa17cb4487255ff9e95f8f93fb1fada6
SHA256e6b627f45d6cec6e1742717f131eb88151eddb4d4d932a2dc67cb2110d6ea764
SHA5123d4561cbc90fc3af3eb9da1c22d80964536923ef7e7eb2897efb08d26e91464dc693ccd96accd7b7695adc6fd9feb740ed892f37ff3d037388df28b4206fbbfa
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b68a6cc5c8f7d04deebb6d6643c43202\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD5e8b4393dcd40bc00031c2341f7020c62
SHA1fb76e84c93d16c524c24b2c935de6f81af16eef7
SHA256f4898c3be9e615e230f64a8403b0fffa824dac2fc36fb8ebfa9314cb4716fbed
SHA512dea64b080f8ad3bfa40843a71686001b88e6a00da1815586cfe81441a8684af04fa4fc0124a36c4297dc22d11657a8174943a3c76a9b5ba716a3039f6ed09713
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c9d7683dad650b4ac61adb999e066d7b\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD542d454e659281161ba82248ba4d06c5c
SHA191f3ee92daf0f951a73544726c4cf98a17b60148
SHA2569d72f2d1c160c4fc9376cf7f122665ec9f934d5f3c44b80cbcd33c2e16b81068
SHA5120593f6a94914faaa21cba3c7a539615d7654f50578f068cbbeb63472b5bf5c0c1f1a9d1cd02da630f3c6f35d4492ee33c1a386874c79596adeaf7e5e8a119f55
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e5f16a5f03038abe41f0632384456e0b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD577f1cf48d9055674a728af828135bdfc
SHA1ab1a60aa5b6fac6fa82236cbcac2a7d7e39adc59
SHA256e4b89c4e5e2dc7e6ece1e53b581e74e0e0b52f01949ac412e430366a8c279e2e
SHA51211b88455c11091e563fc1e28aa56607b4714525fd55780eb8b9d48d9cda28e9b38f9858e8a13492a739c012e348d4b6b2c0dadd601c268551dea265ec893a98c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
2.0MB
MD5574bb474696d2968f7e366d3355fdb7c
SHA11dc94d359b6cd73a61303277ba0629841545b70b
SHA256d2793261009fa1aeb4f7936807c7959e59b1f90a60bf3c4fe92b2221d95d2a72
SHA512602161a1c4dab97f626219e8d43e4b5140c412441b0d94db66f75d9a8bbb68feff29e85ce12051ca1fbbfd73f1b1fe39db7e86d7472d328c2f2917578242830f
-
Filesize
1.3MB
MD51f06f7510c384ae8d3c44dfc19e37385
SHA1675da108527b8d79527c3ad519d5d80e941c257c
SHA25675544ed88001da8d2cf572a10eb37bb212e6fae6aa78824d049f33eb9d4389d5
SHA5120eccdb43a93f4352c84a57e318a147a97aeb19de356d1c49ba98bbb7bfb9c8fea7ae32604af944acef8912f8cc74b1f4ddc8c19a8e98cead6d61c84fe76e47a1
-
Filesize
1.2MB
MD5ac05bc3751ae34e0bc689d11475fe03c
SHA1a829c99069fbed0b2edf72ccb4c1a859217afe35
SHA2561e92e9e252423ce709a008052018dac951e92c547f4d4cfcafef91b83b3b0e7c
SHA5122c2089b2d53a3e0212acf1dfbaed67fda202bff580235acde7ad0002074a12bdbb98ab81b3afb0428d312183b68253bb0831a4acb94c6a260bb00fcfe4e7afed
-
Filesize
1.2MB
MD58a73284e64211b4022d2e74f994f2f19
SHA15ca85164d6a8d0b137c2558d124ab3f78f82186f
SHA256e5155e383d4b6767ada030fa383b46509d5533205936551f507d3272f1a33575
SHA512c4ead4fd203e6ebf5d944158b5b3c76d79b6ad7b1e1cd964c2d697a259e45e7cce395fedb9ababcd78b7b826cc2d0eccd5e83466cc482f4da9d9783fea1c9932
-
Filesize
1.3MB
MD556dd3fcc7e4b2c8e6980cdebc0d817b9
SHA18bc5aa18a434efba45e7c2d20b3270c88bc4ad9a
SHA2568cde643dd7267b0b1a259778903d3ecce2ebd350300956f262129f336d1e39be
SHA512b3ec20379268f023504db0363c85ee05aed50ee3babd65bfbbaba8d7d77398e031cc5b17fa1d4c60316cac00857ea93be026de27508e26d6fa06d300d6fd8507
-
Filesize
1.3MB
MD5c700667ead533a91b0ee77e46e1e09f8
SHA11b9c423a7d8f751d9a3a3e68413803756346a780
SHA256b920ea02c03e47e8f393f62bf18038628fde7380d1d52ba39491f6c52ad3595c
SHA512d836958a5afeb57c396ca11895895878b174462c05907c697e90fd2857cd006580d20dc4d0407ccf552e6e6e6fd42c506aa4af13eecbb2515d68d83d55276d35
-
Filesize
1.2MB
MD53f2d44b46f17349712ccfa8f28d3c29e
SHA188192aea4b009ea87fbe0f7cdea6f9a42f4d4230
SHA256a39737b43adc0763c1e0669152332426a6dcf7447d80436872e47e6846884acd
SHA512f003948981916fdf4b14a8ccdb9d08821de021af69fd722289069925cf81b6b47fad7f556d7cfbd46a35a9f9d5ae7639e5cd09099a6c3e08c0d5f1f61c504562
-
Filesize
1.4MB
MD524bf89bd38ff2f419e0cdb90c79658ed
SHA18963d7df14566d58dcac0124ffb403d579e368f0
SHA2564222afaa2499ee9805e1e7e39ec7b79dfe392b191070303f62962c5d5e6dbdf3
SHA51205758be6edfb333b74327639682333809cb83f3787826a29344f548256885e65813ccc0b00f01ccce9b1a801d39259d18517b4a3ea87e6a570319b6afbcbe63b
-
Filesize
2.0MB
MD5a985d36eea34919070501fef29d00312
SHA1986638d74b318eb2b55e48350972441955633cca
SHA256a10b15448ce3473ff6849d6c5569f22d0663c12c5f0e378dbd605114d66e9355
SHA512df87189bc598aaaabde2bbb79423618f246a43c70dab7794de926b2f2bde04eba9bb32046e754baa7a42e4ff9fe5d98b0f12f1372b41ce8d3fcf8d2d5a78e260
-
Filesize
1.2MB
MD52af30778d59c7688fb4993515869927b
SHA1e0943f665b478aef9fb98404a71901705bc9b9bb
SHA256101deb178fd603202778fc368bf080bfd1f03cedab46632889a9397067ecaf1f
SHA512a2747e2186eec7327a4ff48b852f2d2058ec623277c38636e33bc5a71b8cd46fd8dd0ff7e0661c9eee5e82594c37eb8f5c7d58b68e3f103edff768c2d193ed34
-
Filesize
1.3MB
MD5e5b326b741c515a33145e84a9fdd51f5
SHA14751f997ceaf940ef80c8ac1cb4ba96a2801e460
SHA2562d1363a094fc1d35b3ddee5cf2a1b9533bed2d5f0d997baee0399706a3b5c135
SHA5125c26a61a7cb342b64722f109450e1f425add91dccaca5ddee51fd1980fa0dc5747acc43c20ced4e5282bf4b0c6e9fe01bee184a74b32870f5cfda739b819797f