Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
83d71bb2969e713ce6c7f87b23dd97a0N.exe
Resource
win7-20240704-en
General
-
Target
83d71bb2969e713ce6c7f87b23dd97a0N.exe
-
Size
648KB
-
MD5
83d71bb2969e713ce6c7f87b23dd97a0
-
SHA1
4959c38b39853f496efdc5fdf3a83077cc37d349
-
SHA256
a31625b633c6bf80b6f9040a6278bd237706968e3f977907ef77f3d168e9b2f9
-
SHA512
8ee2947093522e05b5cb67e77127c7b18e58f3142d1a1da9979537490a04e44c2c57644ba74b3f4fd6f03147b9b291e9c8ce23241c4a91222c5b58cb1097fee8
-
SSDEEP
12288:8qz2DWUdCFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:lz2DWn8NDFKYmKOF0zr31JwAlcR3QC0q
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2852 alg.exe 2420 aspnet_state.exe 2656 mscorsvw.exe 976 mscorsvw.exe 1636 mscorsvw.exe 2876 mscorsvw.exe 2592 ehRecvr.exe 2148 ehsched.exe 316 elevation_service.exe 2524 IEEtwCollector.exe 1716 GROOVE.EXE 2532 maintenanceservice.exe 1868 msdtc.exe 2356 msiexec.exe 2888 OSE.EXE 1528 mscorsvw.exe 836 mscorsvw.exe 2320 mscorsvw.exe 2408 mscorsvw.exe 2976 mscorsvw.exe 2696 mscorsvw.exe 560 mscorsvw.exe 1692 mscorsvw.exe 2296 mscorsvw.exe 836 mscorsvw.exe 1768 mscorsvw.exe 2732 mscorsvw.exe 2116 mscorsvw.exe 1500 mscorsvw.exe 2976 mscorsvw.exe 472 mscorsvw.exe 524 mscorsvw.exe 2108 mscorsvw.exe 1628 mscorsvw.exe 2860 mscorsvw.exe 2196 mscorsvw.exe 2820 mscorsvw.exe 2264 mscorsvw.exe 640 mscorsvw.exe 700 mscorsvw.exe 2908 perfhost.exe 2992 locator.exe 2664 snmptrap.exe 2008 vds.exe 1592 vssvc.exe 2248 wbengine.exe 560 WmiApSrv.exe 1496 wmpnetwk.exe 524 SearchIndexer.exe 2192 mscorsvw.exe 1524 mscorsvw.exe 1476 mscorsvw.exe 1076 mscorsvw.exe 1072 mscorsvw.exe 1800 mscorsvw.exe 2964 mscorsvw.exe 2236 mscorsvw.exe 1444 mscorsvw.exe 2872 mscorsvw.exe 1076 mscorsvw.exe 2904 mscorsvw.exe 1652 mscorsvw.exe 1248 mscorsvw.exe -
Loads dropped DLL 46 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2356 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 760 Process not Found 1072 mscorsvw.exe 1072 mscorsvw.exe 2964 mscorsvw.exe 2964 mscorsvw.exe 1444 mscorsvw.exe 1444 mscorsvw.exe 1076 mscorsvw.exe 1076 mscorsvw.exe 1652 mscorsvw.exe 1652 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 2304 mscorsvw.exe 2304 mscorsvw.exe 2460 mscorsvw.exe 2460 mscorsvw.exe 1616 mscorsvw.exe 1616 mscorsvw.exe 2320 mscorsvw.exe 2320 mscorsvw.exe 2432 mscorsvw.exe 2432 mscorsvw.exe 868 mscorsvw.exe 868 mscorsvw.exe 2544 mscorsvw.exe 2544 mscorsvw.exe 2148 mscorsvw.exe 2148 mscorsvw.exe 2632 mscorsvw.exe 2632 mscorsvw.exe 3048 mscorsvw.exe 3048 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\System32\msdtc.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\system32\fxssvc.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\system32\dllhost.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8b159e9ed264f17b.bin alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\msiexec.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe aspnet_state.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA0B2.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A7B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP92CD.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP786B.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 83d71bb2969e713ce6c7f87b23dd97a0N.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8315.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C58.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FCA.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8611.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{15212604-53C8-4AC6-B02C-573CE0C3197D} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000405c75d3acf0da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000606a56d3acf0da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{15212604-53C8-4AC6-B02C-573CE0C3197D} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403373d1acf0da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2164 ehRec.exe 2420 aspnet_state.exe 2420 aspnet_state.exe 2420 aspnet_state.exe 2420 aspnet_state.exe 2420 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2432 83d71bb2969e713ce6c7f87b23dd97a0N.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: 33 1828 EhTray.exe Token: SeIncBasePriorityPrivilege 1828 EhTray.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeSecurityPrivilege 2356 msiexec.exe Token: SeDebugPrivilege 2164 ehRec.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: 33 1828 EhTray.exe Token: SeIncBasePriorityPrivilege 1828 EhTray.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeDebugPrivilege 2852 alg.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2420 aspnet_state.exe Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe Token: SeBackupPrivilege 2248 wbengine.exe Token: SeRestorePrivilege 2248 wbengine.exe Token: SeSecurityPrivilege 2248 wbengine.exe Token: SeManageVolumePrivilege 524 SearchIndexer.exe Token: 33 1496 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1496 wmpnetwk.exe Token: 33 524 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 524 SearchIndexer.exe Token: SeDebugPrivilege 2420 aspnet_state.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe Token: SeShutdownPrivilege 2876 mscorsvw.exe Token: SeShutdownPrivilege 1636 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1828 EhTray.exe 1828 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1828 EhTray.exe 1828 EhTray.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2032 SearchProtocolHost.exe 2032 SearchProtocolHost.exe 2032 SearchProtocolHost.exe 2032 SearchProtocolHost.exe 2032 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe 2012 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1528 1636 mscorsvw.exe 46 PID 1636 wrote to memory of 1528 1636 mscorsvw.exe 46 PID 1636 wrote to memory of 1528 1636 mscorsvw.exe 46 PID 1636 wrote to memory of 1528 1636 mscorsvw.exe 46 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 2320 1636 mscorsvw.exe 48 PID 1636 wrote to memory of 2320 1636 mscorsvw.exe 48 PID 1636 wrote to memory of 2320 1636 mscorsvw.exe 48 PID 1636 wrote to memory of 2320 1636 mscorsvw.exe 48 PID 1636 wrote to memory of 2408 1636 mscorsvw.exe 49 PID 1636 wrote to memory of 2408 1636 mscorsvw.exe 49 PID 1636 wrote to memory of 2408 1636 mscorsvw.exe 49 PID 1636 wrote to memory of 2408 1636 mscorsvw.exe 49 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2696 1636 mscorsvw.exe 51 PID 1636 wrote to memory of 2696 1636 mscorsvw.exe 51 PID 1636 wrote to memory of 2696 1636 mscorsvw.exe 51 PID 1636 wrote to memory of 2696 1636 mscorsvw.exe 51 PID 1636 wrote to memory of 560 1636 mscorsvw.exe 52 PID 1636 wrote to memory of 560 1636 mscorsvw.exe 52 PID 1636 wrote to memory of 560 1636 mscorsvw.exe 52 PID 1636 wrote to memory of 560 1636 mscorsvw.exe 52 PID 1636 wrote to memory of 1692 1636 mscorsvw.exe 53 PID 1636 wrote to memory of 1692 1636 mscorsvw.exe 53 PID 1636 wrote to memory of 1692 1636 mscorsvw.exe 53 PID 1636 wrote to memory of 1692 1636 mscorsvw.exe 53 PID 1636 wrote to memory of 2296 1636 mscorsvw.exe 54 PID 1636 wrote to memory of 2296 1636 mscorsvw.exe 54 PID 1636 wrote to memory of 2296 1636 mscorsvw.exe 54 PID 1636 wrote to memory of 2296 1636 mscorsvw.exe 54 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 836 1636 mscorsvw.exe 55 PID 1636 wrote to memory of 1768 1636 mscorsvw.exe 56 PID 1636 wrote to memory of 1768 1636 mscorsvw.exe 56 PID 1636 wrote to memory of 1768 1636 mscorsvw.exe 56 PID 1636 wrote to memory of 1768 1636 mscorsvw.exe 56 PID 1636 wrote to memory of 2732 1636 mscorsvw.exe 57 PID 1636 wrote to memory of 2732 1636 mscorsvw.exe 57 PID 1636 wrote to memory of 2732 1636 mscorsvw.exe 57 PID 1636 wrote to memory of 2732 1636 mscorsvw.exe 57 PID 1636 wrote to memory of 2116 1636 mscorsvw.exe 58 PID 1636 wrote to memory of 2116 1636 mscorsvw.exe 58 PID 1636 wrote to memory of 2116 1636 mscorsvw.exe 58 PID 1636 wrote to memory of 2116 1636 mscorsvw.exe 58 PID 1636 wrote to memory of 1500 1636 mscorsvw.exe 59 PID 1636 wrote to memory of 1500 1636 mscorsvw.exe 59 PID 1636 wrote to memory of 1500 1636 mscorsvw.exe 59 PID 1636 wrote to memory of 1500 1636 mscorsvw.exe 59 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 2976 1636 mscorsvw.exe 60 PID 1636 wrote to memory of 472 1636 mscorsvw.exe 61 PID 1636 wrote to memory of 472 1636 mscorsvw.exe 61 PID 1636 wrote to memory of 472 1636 mscorsvw.exe 61 PID 1636 wrote to memory of 472 1636 mscorsvw.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d71bb2969e713ce6c7f87b23dd97a0N.exe"C:\Users\Admin\AppData\Local\Temp\83d71bb2969e713ce6c7f87b23dd97a0N.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:976
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 1f4 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 1f4 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 268 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f4 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1f4 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1f4 -NGENProcess 288 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 284 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 284 -NGENProcess 1f4 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 270 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 1e4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 21c -NGENProcess 298 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 250 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 294 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 258 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 21c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 21c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 220 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 248 -NGENProcess 244 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d4 -NGENProcess 21c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 21c -NGENProcess 220 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 270 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 1d4 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 220 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 220 -NGENProcess 270 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 29c -NGENProcess 1d4 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 1d4 -NGENProcess 278 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 280 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 29c -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 278 -Pipe 220 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 280 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 29c -NGENProcess 28c -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c0 -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 280 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2c8 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 28c -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 288 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 288 -Comment "NGen Worker Process"2⤵PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 310 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"2⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:640
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2592
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2148
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:316
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1716
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2532
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:560
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
- Modifies data under HKEY_USERS
PID:2300
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD55d19315fac2a45d03262f07f1ec6dd0b
SHA16029634937067949f72af9c5d8435f4185c936fd
SHA256eafc01033f33ab2067e7817c50c183ce61df5184484752d4142dada1872972c2
SHA5128be70f1c693abfd8f9df712a10af8b850e269f45e549dc62d060fedf6ca81c761ab73e6abb15c96d895ae274e8c257525716aa62dd86bf0fa0376361ec6c8640
-
Filesize
30.1MB
MD5dc8b4ddd37720f0d11672835b1d34862
SHA13928742c41f7604d22f6cd20c6679b2f52c2402d
SHA256552759a84e5c6acbd18a8f6c7f986414267fce74a3c2fff4e6905a98eef65a92
SHA512f9afa88a0872425c6dca3fb47778537ca80defd31ea3a39a458c9571f7d28d1006cd8af0cb6c7faee8efe9a3730ded5df81c13ae3b23f5c2ebabd161541d6587
-
Filesize
781KB
MD55365321c82a25db82e387e38d31bd98c
SHA14f09957ba73e582db2ae2d54dc4624a178b14441
SHA2565019d4a989cf8eb02538e4391e9a80c69499de02d2d91da701d9767f06264a39
SHA51248d11dcc6e9ab16b2a20f019ff576a61c000ea12fc40f1a47fbb4825709dc2a7c1f3bc11082458582e2697337cc94c333bec677a402b5d7f4eb4e473525456f2
-
Filesize
2.1MB
MD54782a466a5536f99b46ed0b81ca7655e
SHA14a3bd4c02700a2bedd057fddef5f0fcbb18a825f
SHA256b462d1cae8c3bb23094a233f4d025825b721beba17d8212397562e87ffc73d92
SHA5127d386c4d4695fe7da6748a76c65600a218f92decc0761bc80e6801c872b005c758dd5c27f7d73c7e7d76f0c0353869e50dcc77a9ea5e4d2d614ed85ae84481f4
-
Filesize
1024KB
MD5d10c27f59dfdc972c4de635687df4614
SHA13ebd0ac94d845bca26c36a05e3a70f75561fe3e4
SHA25671636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65
SHA5124c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD50ab2f1a5b3a62f128570b15ec515b9b4
SHA18cdb94387106a35f4b25f41293a0e64903841cd5
SHA256b05a34e446e61728019942c9a93d24118efbe62aad3b193a6529494eb732e216
SHA5120eabc31d3871531b48fa4b685f2d0694ae2d314a58b9eb1a3dfb6edb01326afcf766d0875cf1b804184f41f102309fb4dc0e03c1e7c7aa5876d19eb906f97ec9
-
Filesize
603KB
MD519f0c4967fdd4c8f965789ce937706ff
SHA1b21eceef826b5b51c61e8581e35c842ed339034b
SHA256c94ff4e232f7c0abc5705feb04c7fb6622e9787aaa487288a4a652d6b9f11209
SHA5125946351bd5ca04160595055cb0d7639e9f34aec39f000c3a2993ca44d14fdc361e945c17737dbe3ceffaaaa856b0bf9d8af04e27fa46d171ab16eb77821823f6
-
Filesize
678KB
MD56729c0703d957e104403c44673e39648
SHA13a9227d6482c9aec515bcf2a9b16a0e431d3954a
SHA2565b0424b95dd11bfbd9e540e7016183ebb536c903580035c8354121ed2a9e7f9f
SHA512d4fee13153720334d8d6f179a90b9792b274b0944361b55f72a11706c51699fab0efd4559548f06491ecc0e1ec977de196e3045e996f9859ed70ffde83266932
-
Filesize
625KB
MD539edd9c4ea03c722ef57ae8bd23ea30d
SHA1109bff5acadabf46cd39cdbd8e024f1d0d4a4860
SHA256dc4400f162ebac1b1f2a2aebae01310a08060d277811b9b7870244c635f861d5
SHA5125ba6366dd04c9e41db272200b0fe5872da1df6acb10e8bd24a87b0aa263698e1974939a405d4af0a88ddf18d20082adc2ff74f185c227d23b2b53acbcc0be484
-
Filesize
1003KB
MD55ed37aa8f6838010d423c63c23e16f84
SHA16eafcb9de1380da2d38dd216eee14ecfba877cf6
SHA256d76fedb825bb661c2a4ad6a45fea802e3827d964a345bc5ee0455c1aae5117bc
SHA5129d085e585aca52b100b64034ca94dd9c37ef00dd76701cc1c0b04f8188d9f50323db6dca0f8827ce071fcaec87220f557992f7269a2bbeab1c65f13905909660
-
Filesize
656KB
MD5e449b28213435a970b886215136fc7b4
SHA154dca8753aad159ef99e64995c8373772bac9996
SHA256726399e71f1799ecf05329a19b2e2dc48f5aabe55155aa4a486c74dcda1e457c
SHA512058e9e0fc4e1a0fd33be9ab400c2e9fbdea3bb252ce50083dec678a96ba3cf0f81ddea564968be3f9069271c8cbbc9fde69eabd9648418c90eedf8904bfd1dbe
-
Filesize
8KB
MD575b5c66294bb914c666e401acae97cfe
SHA1b5054d6537ee29340842e3242f7d9121bad2c12e
SHA25699786e00ad18857491bbc266b76f3e1dac4c4483ca7cb70028c67373cf8466fe
SHA512b184037f0f80566846d25e24389939c6d203e3dc58b207deac8b8b1b710375bf83b66b7aaf7b319f71efc000bb72d3cb25b4043277ccd9e3b1d1e84b5a662316
-
Filesize
587KB
MD50b1b88de101e1ba68ce912573b25bdad
SHA1ed1ff61e3602d64858b64ee84b17db796bad953a
SHA2564c79bc7bb9ae8b7e468615e5f81755e1736ae91ce9a9941d272d1f97409927b9
SHA51240f57b02905f4a1f101921eb9024035a40e1e511ce74f1c6e897d7ab817178f84b3043cc63d695d31f05f79af18212195e0cebe3b1f73083f3967f574ebd5a96
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0bcf1b3e3a562fb0f829229904d2b018\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD59a30b1f409046ffee34a7f31a84395ae
SHA175ec7a753d6859af1fb2a1a154c073d0a9e2d2a1
SHA256d55aa6f2117c39fffd641172a82db8add379ec581f3cd106b7f12c2969fda328
SHA512a82c30867eb74ea6c9bcfa5b6b6bd7dfc829f0b48328eb7c4593d483f69e2991b0e63decc32c963c04c759ecfffad9a69449a80b7155f64780e5b15775ea8c74
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cfb0cb42111c77e1f3c8a10fbaa37fe\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5d18d69a7b6b8d9b21101c9b649d61dd8
SHA11e96d6c07fa40a8dbb15e075722d58855343566d
SHA2564b2b0b35306e0ba3b3db0eb5872f7150403c9ab74fa50dfe476aeb2e8a642b1f
SHA512ba8c0eadab940ad0a27368c2a0f8d1f6652e40fc666b131699d05b0812fe3c7c74c9ad46845e5ae79139196c9516f91e60581c25c4bc70f5da360af0dbb233ff
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a1505f5eec2c41756ae686aa440d2a93\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5aa90d593d09f851b20b25e20f4d940d4
SHA15d8532ee25c2cf07b552fe96cc6bcdf1a93b3dba
SHA256fe317b1ee64e1036e14a4ca205cc106a0a3f49c6d2d4e28d9f4ddc6210a79740
SHA512f8c1d25bfd73f7b4b167b2847e0bc64d6fa4c777b9795db7e81019ad01a8b72e12f434eb8c34b009185265cfb274ac9fc53050134daa21715122012cf4bd91f5
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8EB8.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9A7B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll
Filesize180KB
MD5f7ee7ccfb5bfd3a7b94162a8c784b888
SHA1c5aa9ee6f5974a75085fa8b2f8a9b727523c1481
SHA256c358e7834edbbb5138d90a7cddab089d95bc97063145a16a11cdf8e624ff44a2
SHA512ec97aa95ccfe9ef60cd4ff6eb35e78290d857f802daffbf73abafb4e8362d912e5762c4a262712ab05b43ee7e03b6bad85accb3ad591f60c2713618a5e981894
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD535e70c66dd150d39b946cd6d844d33ed
SHA13dacdfce2f7fcf0ad72c49fffdda3a5d160cc71c
SHA25685ff0ce47d4a0646df0a0a0b28a6bea90bb0870ba846418b0b6fdeb7ccd75d40
SHA5125ef181c9f9aefea3445aba56f34358bd4464fcfe2a3d4df90469fb0e79303d234ae13fcb18f7088b4a9e9c0b1d69c49aab966419db729d36ffd82f7f10eec3dc
-
Filesize
648KB
MD5ff38f3e9900fddaef58dfcca400af695
SHA1e92554af2d68b8064b62123e3cd2d94c31e89a56
SHA256ae41d9a81c739f8c6c5e1a2aea2cf617c178a8719a589fd65da560ad639c2556
SHA51209b9140261584be3b403734d9218b4b044843a3a49bec325c71f3160205790d101f2f60b85334441e7bed50af63ba4cd04a08819ed9719e8aae08f89344f4411
-
Filesize
577KB
MD53e3fa01491ce378fc471174763ef0833
SHA1aac3808ed81c9a4f50e368510b9756ba8712539c
SHA2562ee0dc64b53eb1d2e4d3faf88c7aca50cccb8d553bfe36270e06ae7dc46e1ef8
SHA512af98b143472d3579cd0be5761e5671e9a160283dc8d0f05c6d0d752946bdceb3f626d6f2cde6931d0d06d92d55db69a0f954f5105b3298f9e86293a062d30ba1
-
Filesize
644KB
MD59a71dbf0ea9aba82af33b11b022b83af
SHA1a31e7794e1de512ba837db34067c8d641f1abd59
SHA2561a954e6c9170c5790ed115cf3b18b6e32a5d509fb21efdb19c22505f97843f17
SHA512aac515f1cabb0fd3967cfc9dc5fa417a02019956238e26b12408364e2e6c69c8c8d3aaa825f885fc04fb3d9e10d2c48d459c75213efb2abbea98258a082ab24d
-
Filesize
674KB
MD51e520dda312995a0c78c4234fb8300d1
SHA114cd61145b2e8cb31573cbeb6a6829a51faf3087
SHA25698538ba377d1d0172012c607b96b5c44c289fc73742fbfb2b9ec8cb1e3de241a
SHA512b65391d9d88bc70dfff558ecd49cc94752d175d52bacb6c0e0b3710c4648b121f5b8f667edc81a6fc2b4edfd3cd41744b187257f51839318c723473b78ca764f
-
Filesize
705KB
MD5df410e1255a2973c51fb221e352d6fb4
SHA18caa8f0623b12eef53b40f31ef7e7b5e97804dcd
SHA2563b1e256eae7867e984f34520bd34ef0bc26829bf1df6ac3a658115df2b26b583
SHA5128abce6d6cd395b1824be97d7b3bf7a02594826aa87d5db6a178e44746fa40fef22c75b0b896f0da99b54580c1a64c8e6495c20fd948d33d197103925ef2b0ace
-
Filesize
691KB
MD5ee56ea8dd2f86c2e36ac3b445ce417b2
SHA12b4020ce312a1ea7f17884e0b95d834aac4ef103
SHA256628e72f70e0b91f335fad9a4108568251b1e9b72bc7cae1c9d5865eccf76e565
SHA5128b06775f07decf521167c20aee96db6b3b983fd60b0658138187b2a66890a1352f5e168f8fe4fe1b19ab7503f6fb607787d3db71570c37628f1a31985375bd52
-
Filesize
581KB
MD5e84e7feab766cbc70c894851d44946b4
SHA1d5b962fa6995cfa76287d952b24b42b38f6b0ba6
SHA256e79472da7bc2f55d4a174ff82ad266c0a0b1d6dd5a7dcf694381847fb7ead0ef
SHA5128b2b85d07c8dda58092aea9b79bbe9b2c5385cdc54799f189fc301eedf84e7b5070d85a6e0edca97867a2d62b815552b6845aa036162d4590ab5c8fb66990568
-
Filesize
1.2MB
MD5b9929f3f1331218e59d6f1f37c91291a
SHA1fedc98cc870170959280dc39dd0e0d687f6183be
SHA256fe9a983c00a4d3605c72c5ab80877dc125f050568fb2ab5d7e057a6bb12fd75f
SHA512b431346c26bb92813dac40b6fe0579253be62f9d80b88658b5b2069f31b6463872806f00512ab235aabc670578f3565e4c0f858de9689518b9250850056a04b4
-
Filesize
691KB
MD5f4eb1bfd9f1b432dbe7d01b4d2374a00
SHA113fecf8eda18e31aa8d2f22d8c81b42ba1c3c9f8
SHA2561c3b5c3a2e1f96ff8b1afb7d38640ea46e1f102727e855f6cfe4abb56d1594f2
SHA512b06f6e7736809ac6040143f815dfbe130c0106a074001243700ebf559b1fa17ea3ce243c9449ce981164cf8271219dd8e0c28843a79bc9141ca8be8c2c83a41d