Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
Resource
win7-20240903-en
General
-
Target
087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe
-
Size
4.1MB
-
MD5
a859f6bf1bbb4df6c23bbdc0d4cae460
-
SHA1
992d843bbbf6cfcc9ecd33f978554955b4044554
-
SHA256
087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38
-
SHA512
03be0abbc579b48507aa7441b3946e7a6a8dd23a008006510dcc79a99e347fae4c429a00422c673a92f2d7f5036a68cc0359b1464e3642233838735c175ef6e3
-
SSDEEP
98304:IDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFbx4uR:IDqPe1Cxcxk3ZAEUadzR8yc4HF2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 62 IoCs
pid Process 464 Process not Found 2872 alg.exe 2172 aspnet_state.exe 1120 mscorsvw.exe 2616 tasksche.exe 2128 mscorsvw.exe 1532 mscorsvw.exe 2240 elevation_service.exe 2432 GROOVE.EXE 524 maintenanceservice.exe 1528 OSE.EXE 1092 mscorsvw.exe 936 mscorsvw.exe 1804 mscorsvw.exe 2780 mscorsvw.exe 2884 mscorsvw.exe 2064 mscorsvw.exe 1944 mscorsvw.exe 2192 mscorsvw.exe 1440 mscorsvw.exe 2308 mscorsvw.exe 1544 mscorsvw.exe 2484 mscorsvw.exe 944 mscorsvw.exe 2532 mscorsvw.exe 2736 mscorsvw.exe 2796 mscorsvw.exe 2260 mscorsvw.exe 1448 mscorsvw.exe 1180 mscorsvw.exe 2216 mscorsvw.exe 2460 mscorsvw.exe 1564 mscorsvw.exe 684 mscorsvw.exe 2632 mscorsvw.exe 1608 mscorsvw.exe 2932 mscorsvw.exe 2500 ehRecvr.exe 1624 ehsched.exe 1076 IEEtwCollector.exe 112 msdtc.exe 1868 msiexec.exe 1096 perfhost.exe 2484 locator.exe 1956 snmptrap.exe 2476 vds.exe 940 vssvc.exe 1964 wbengine.exe 2296 WmiApSrv.exe 1588 wmpnetwk.exe 3068 SearchIndexer.exe 2972 mscorsvw.exe 1484 mscorsvw.exe 3140 mscorsvw.exe 3256 mscorsvw.exe 3428 mscorsvw.exe 3608 mscorsvw.exe 3740 mscorsvw.exe 4000 mscorsvw.exe 1020 mscorsvw.exe 2416 mscorsvw.exe 3140 mscorsvw.exe -
Loads dropped DLL 20 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 1868 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 736 Process not Found 3428 mscorsvw.exe 3428 mscorsvw.exe 3740 mscorsvw.exe 3740 mscorsvw.exe 1020 mscorsvw.exe 1020 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\wbengine.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9507cf58f1301b95.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\fxssvc.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\System32\vds.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\System32\alg.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\msiexec.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\System32\msdtc.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\system32\vssvc.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{81B62077-4199-45EB-921D-6EB76AC289EE}\chrome_installer.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe -
Drops file in Windows directory 52 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAFB0.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPAAB1.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA757.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File created C:\WINDOWS\tasksche.exe 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ba000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadDecision = "0" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadNetworkName = "Network 3" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecisionReason = "1" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecision = "0" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{89761EE0-5DED-4096-9E93-4ED7A6E5D37F} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB7842C-ACF5-46F2-AAEA-B7EC40169877}\WpadDecisionTime = a02c589f991adb01 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-b6-bc-7b-95-ca\WpadDecisionTime = a02c589f991adb01 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{89761EE0-5DED-4096-9E93-4ED7A6E5D37F} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1932 ehRec.exe 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 948 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeDebugPrivilege 2872 alg.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeTakeOwnershipPrivilege 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: 33 2940 EhTray.exe Token: SeIncBasePriorityPrivilege 2940 EhTray.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeSecurityPrivilege 1868 msiexec.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeDebugPrivilege 1932 ehRec.exe Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe Token: SeBackupPrivilege 1964 wbengine.exe Token: SeRestorePrivilege 1964 wbengine.exe Token: SeSecurityPrivilege 1964 wbengine.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeDebugPrivilege 1656 087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe Token: SeManageVolumePrivilege 3068 SearchIndexer.exe Token: 33 3068 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3068 SearchIndexer.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: 33 2940 EhTray.exe Token: SeIncBasePriorityPrivilege 2940 EhTray.exe Token: 33 1588 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1588 wmpnetwk.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe Token: SeShutdownPrivilege 1532 mscorsvw.exe Token: SeShutdownPrivilege 2128 mscorsvw.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2392 SearchProtocolHost.exe 2392 SearchProtocolHost.exe 2392 SearchProtocolHost.exe 2392 SearchProtocolHost.exe 2392 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe 1500 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1532 wrote to memory of 1092 1532 mscorsvw.exe 40 PID 1532 wrote to memory of 1092 1532 mscorsvw.exe 40 PID 1532 wrote to memory of 1092 1532 mscorsvw.exe 40 PID 1532 wrote to memory of 936 1532 mscorsvw.exe 41 PID 1532 wrote to memory of 936 1532 mscorsvw.exe 41 PID 1532 wrote to memory of 936 1532 mscorsvw.exe 41 PID 2128 wrote to memory of 1804 2128 mscorsvw.exe 42 PID 2128 wrote to memory of 1804 2128 mscorsvw.exe 42 PID 2128 wrote to memory of 1804 2128 mscorsvw.exe 42 PID 2128 wrote to memory of 1804 2128 mscorsvw.exe 42 PID 2128 wrote to memory of 2780 2128 mscorsvw.exe 43 PID 2128 wrote to memory of 2780 2128 mscorsvw.exe 43 PID 2128 wrote to memory of 2780 2128 mscorsvw.exe 43 PID 2128 wrote to memory of 2780 2128 mscorsvw.exe 43 PID 2128 wrote to memory of 2884 2128 mscorsvw.exe 44 PID 2128 wrote to memory of 2884 2128 mscorsvw.exe 44 PID 2128 wrote to memory of 2884 2128 mscorsvw.exe 44 PID 2128 wrote to memory of 2884 2128 mscorsvw.exe 44 PID 2128 wrote to memory of 2064 2128 mscorsvw.exe 45 PID 2128 wrote to memory of 2064 2128 mscorsvw.exe 45 PID 2128 wrote to memory of 2064 2128 mscorsvw.exe 45 PID 2128 wrote to memory of 2064 2128 mscorsvw.exe 45 PID 2128 wrote to memory of 1944 2128 mscorsvw.exe 46 PID 2128 wrote to memory of 1944 2128 mscorsvw.exe 46 PID 2128 wrote to memory of 1944 2128 mscorsvw.exe 46 PID 2128 wrote to memory of 1944 2128 mscorsvw.exe 46 PID 2128 wrote to memory of 2192 2128 mscorsvw.exe 47 PID 2128 wrote to memory of 2192 2128 mscorsvw.exe 47 PID 2128 wrote to memory of 2192 2128 mscorsvw.exe 47 PID 2128 wrote to memory of 2192 2128 mscorsvw.exe 47 PID 2128 wrote to memory of 1440 2128 mscorsvw.exe 48 PID 2128 wrote to memory of 1440 2128 mscorsvw.exe 48 PID 2128 wrote to memory of 1440 2128 mscorsvw.exe 48 PID 2128 wrote to memory of 1440 2128 mscorsvw.exe 48 PID 2128 wrote to memory of 2308 2128 mscorsvw.exe 49 PID 2128 wrote to memory of 2308 2128 mscorsvw.exe 49 PID 2128 wrote to memory of 2308 2128 mscorsvw.exe 49 PID 2128 wrote to memory of 2308 2128 mscorsvw.exe 49 PID 2128 wrote to memory of 1544 2128 mscorsvw.exe 50 PID 2128 wrote to memory of 1544 2128 mscorsvw.exe 50 PID 2128 wrote to memory of 1544 2128 mscorsvw.exe 50 PID 2128 wrote to memory of 1544 2128 mscorsvw.exe 50 PID 2128 wrote to memory of 2484 2128 mscorsvw.exe 51 PID 2128 wrote to memory of 2484 2128 mscorsvw.exe 51 PID 2128 wrote to memory of 2484 2128 mscorsvw.exe 51 PID 2128 wrote to memory of 2484 2128 mscorsvw.exe 51 PID 2128 wrote to memory of 944 2128 mscorsvw.exe 52 PID 2128 wrote to memory of 944 2128 mscorsvw.exe 52 PID 2128 wrote to memory of 944 2128 mscorsvw.exe 52 PID 2128 wrote to memory of 944 2128 mscorsvw.exe 52 PID 2128 wrote to memory of 2532 2128 mscorsvw.exe 53 PID 2128 wrote to memory of 2532 2128 mscorsvw.exe 53 PID 2128 wrote to memory of 2532 2128 mscorsvw.exe 53 PID 2128 wrote to memory of 2532 2128 mscorsvw.exe 53 PID 2128 wrote to memory of 2736 2128 mscorsvw.exe 54 PID 2128 wrote to memory of 2736 2128 mscorsvw.exe 54 PID 2128 wrote to memory of 2736 2128 mscorsvw.exe 54 PID 2128 wrote to memory of 2736 2128 mscorsvw.exe 54 PID 2128 wrote to memory of 2796 2128 mscorsvw.exe 55 PID 2128 wrote to memory of 2796 2128 mscorsvw.exe 55 PID 2128 wrote to memory of 2796 2128 mscorsvw.exe 55 PID 2128 wrote to memory of 2796 2128 mscorsvw.exe 55 PID 2128 wrote to memory of 2260 2128 mscorsvw.exe 56 PID 2128 wrote to memory of 2260 2128 mscorsvw.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe"C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2172
-
C:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exeC:\Users\Admin\AppData\Local\Temp\087853446f05cfe03410073ab6370f1de2106e50970a0d37e1f220e592e17e38N.exe -m security1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1120
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f0 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 1f0 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 28c -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 294 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 284 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1d8 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 258 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1092
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 208 -NGENProcess 1bc -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 258 -NGENProcess 238 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 230 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3140
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1bc -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3256
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 238 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3428
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1bc -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3608
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3740
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 268 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:4000
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1bc -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1bc -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 280 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3140
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 268 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"2⤵PID:3448
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"2⤵PID:3572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 24c -NGENProcess 27c -Pipe 284 -Comment "NGen Worker Process"2⤵PID:3396
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:3856
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 24c -NGENProcess 290 -Pipe 230 -Comment "NGen Worker Process"2⤵PID:3812
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 280 -NGENProcess 1bc -Pipe 240 -Comment "NGen Worker Process"2⤵PID:2972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1bc -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"2⤵PID:2876
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2a0 -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵PID:3188
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 1bc -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:3444
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 298 -NGENProcess 290 -Pipe 24c -Comment "NGen Worker Process"2⤵PID:3512
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"2⤵PID:3724
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:924
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 290 -NGENProcess 2ac -Pipe 27c -Comment "NGen Worker Process"2⤵PID:3224
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 2b4 -Pipe 1bc -Comment "NGen Worker Process"2⤵PID:3872
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:3160
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 298 -Comment "NGen Worker Process"2⤵PID:3124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2b4 -NGENProcess 2bc -Pipe 268 -Comment "NGen Worker Process"2⤵PID:2512
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2b8 -NGENProcess 2c4 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:3076
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:3588
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a0 -NGENProcess 2c4 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:3572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2c4 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:4032
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d8 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:4076
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d0 -NGENProcess 2a0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:3708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2ac -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:3740
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ac -NGENProcess 2cc -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:3620
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2240
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2432
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:524
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2500
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1624
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1076
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:112
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2484
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1956
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2296
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵PID:2108
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5fe440fa46e1693e2ac2fc4ad21489595
SHA1ead4ecc800ca689c0ffb3dcc9e29a8218eba3536
SHA25634a319662edc74310a8f658eec24e1bbee9ccd98f1c723d14bdcb00342b5deb2
SHA512a9a7dcc22e09af378f1df5c980066f088e46612e8fbe20a8b86ab3f96d6d4ff2ef4ad8c34701ee83bfb17ea14eb83617a710c444f579ab5dbd9e130b7b7665e4
-
Filesize
30.1MB
MD55ebc2e02091034d09982f4a67ebfc2a6
SHA17c837f63d18d5416d726d10666975c07d9754fbd
SHA256d8d3499b8198faf2fd603b299e0900940f36a848afb0d4b341c6534454e37376
SHA512387a85d8b47d8905ab0ee2186d0ed0b5545a26eefcba8267dc4949e0ab5b3e6097eb0ce416efe6e540c1cca156489b125f5e9618b582a308cdefefa5c2be9548
-
Filesize
781KB
MD5c31770c6e60d5baec36e43581ab480a9
SHA1218aae518987ceaca745a4ec08ad8327507e1171
SHA256dc1aa54f59aa44728888c2ae22e4f154abd36de6df0d59a412a051c8cc741c69
SHA5122282694ce8f14df5e37d94ed400a2394c7eabd2691966325c11d3eb62e44f1ef8c5fa8ed1a4d185160e43f5b6ebd9f28995512fdbbceb3ee4ba3c03740687364
-
Filesize
2.1MB
MD5cea245b64fbaf8c5dccb97f86c9dae09
SHA1203507c22cb9195fe2954eae242630116ebff2e3
SHA2561f4d789a1b7c7c8dfe041d61acca04b0b8d4671a28cd06bcc5ab8fd959ee9390
SHA512875f0f36bdef2d3b663bc769c8e68083ef931386e1ab00a0166e17c5368cce858b07faddd584d35f319bc5bd930cb1ede97ce4551613a0d70b2a1b0f63e9fd3c
-
Filesize
1024KB
MD51b2f65afbda6cbfebea33fef7eb74abb
SHA1ca561f4001ce8b1835eadc70df9a45a5395fa341
SHA256609818d66d5b0fa4eaae604d6a0821db0b1bc7736e8428bf175bdf3dec91dbc2
SHA512e56299ef6da60466c54b5a4a85b5d46997b321de2d222f0ec24393f6fac20c0c900d1d68e644401e293180f38f3e88ac1169e218fcee92493849f23405dd85aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD58196f230e0e8567c96cb6580f1e17d29
SHA1de54e5165bcd2284aee6583713977d18f0a404e3
SHA256aaceeb03210caad88ad1bdb127d957729232a113c0a0c689b549c670068b8c9f
SHA51252fa995519e564b52da53204d5328d334006ecbca55e75ca0b4b2649975a091fb612847b966c5594a4e01a699c15cc8377c54c0a3f22e67fad98b2bd1df1c0f6
-
Filesize
603KB
MD56913d3e4c78b9f74e37676129e591f98
SHA18f51a7ddcb8c4017d20a68d589a6a67c759b4cbb
SHA256996f238f79cba46bc3c4447f6f8f70eb6e0cf8ce12add525346ec0572909f602
SHA512d96dc841353f56979c9ae945095780e48b92e019b0e3379cb825803a70f54986cdc30946073d077f2092792594bcb0b5a69b8b35c41d8b2653af5e0c8e6822ae
-
Filesize
678KB
MD5398cc0ea79232dd8635a0b911cc98af9
SHA14f79519fe1361a871217c42017b1e01c0b9484b6
SHA2566168e962400a3e9037c269cb36f8182cd5efca3f38b929a6fe384a8c5c33b4b0
SHA5123adae0a9363d4b6099bcd13a2fc08deaf4ffb935ec520061513007c972bbdcd0c95fefaf1a52ec69ca5c1b265a7ac04d503df34a887b306c7f8cc67f865c7627
-
Filesize
8KB
MD59a01ce14d0ab5a420e7b6022a12afeee
SHA141ae4522e4d41d383463e3b46c674d94ab68505c
SHA256a5ac08bddae79f25cf49afb9882029e959a4b68afbf9948dd6bb5ffaf27bd689
SHA51220d16e6bd2fc41321d7728876164ab89595346295583b9f89351a755fb88d6c17e7fd13c14cf17988bd76111966a454ba260e33b7c17f66d32ec4a06bd682aab
-
Filesize
625KB
MD5924d4aba22b549ffbc38453e061e4e5f
SHA1287977fc11185855418d3c07ae1d0237c2378b85
SHA256955c74552fb70870ecb0371ab74badbd6de1716928526ea95e76956b47c2befb
SHA512233e2106e2968ae3486c959cf752f3c267e9630e6c329d9a581315cb4af132b518e9d7bfb761330ace0b903e6221dcf635b901ddf101900cf91b0b0b04197a5f
-
Filesize
1003KB
MD552e52a5c69c5e92af85e4e9484c598d2
SHA1d5ddfcf7609a98338c6957335233d7ed57ecb8e8
SHA2569e45e96be32edc48093710a5806c95258499227520395ed86ea771f4dbc52253
SHA5125022a0590cf2b34d411ccec2f1d4c95f5e373cd8b57373c4140804422128eff5259656a6bbd23e081c8d19b7e8535d3e07d10dfe08dffd667bd13686c2ca3b5f
-
Filesize
656KB
MD53550a2bfe1dfe96906346f8410704132
SHA12f6a155e0d3715f1e9f47715c5f8b0d9198aa927
SHA25674a756fafc4d9125f5f37ccc448d4e287e2d265d1d03a868b2e38190a94e4c57
SHA51203af66a21e89260bb183beab40a6b61d9ced345f7b3714fa612e32c69e0f9a59ce0e712e0c37238cf74360d2f496a582dca31f983f6e3740b4eab3881a10b9da
-
Filesize
587KB
MD591082d8d01754d160d12c14668fc295c
SHA1fabbc0f124712631217a67a8c55ea5dfb8a6bf35
SHA25641ce0899302243255b6c1666b526ab10957ad884bb1475e679f948c93aaad47b
SHA5129dfbb8d3f3e53f6a2c895e5abc45707f0f2b307a0a6ec54ef818b1af51b10224f5e72ac13ed788e38d75889fab2e6a31c7b94e6c265de2c83a3f2a949f5ec273
-
Filesize
577KB
MD55b09774fe17d199a2de0341fd9b7aa48
SHA1d5c927a60ffbd6619902a15d2146839c24a9cd06
SHA256d6a67a3f98d05ef6301d4552b98dab74af218b50affcafa5e47894ed4f126fb5
SHA512f942a7302d65ed049c1ce4c29fb22299e29e3ae727e01085da5c5643835bd3b85a49db8eb81aa0e3a823b09969399ea4f4985b6d7bb2b2255419d1e1533a581f
-
Filesize
2.1MB
MD5f9b158c8a233dea71947f52b454dfa26
SHA1961dd7fa67c4c68908e21b8ee52c5fa08061c927
SHA256f379b67f51e79ccc83d479c77043aea57bc8b5aee2cd41ef2d06013409672224
SHA5120e8910d6554f17be8b2d12376bb25aad57a4474187b45c867b5c129f716fcf34d2ef960cd3c5d0f03dc53f4766d149922804aebbe34221961424210a9067637d
-
Filesize
674KB
MD5f00244e96563ec7bbc66a9a25d3f0b4a
SHA1b10e7d482dd1d5cc57ac2e1873aa6b90810669f1
SHA25690d8cc2cb0e9be3d63754fdea78e55fe876551358041504997e4bbbf034a868c
SHA512e752b3c7a8cbbd3a4523d1077d9cfe685c75cd6bc7c948be278d373f7d8bdb9553e25972d33d3b6193acaaf1eeb1aca9f4f3c8075d46ee08fbba5257865ca35b
-
Filesize
705KB
MD50062b178903c08a3ece4a0600f9b8955
SHA17ccb10bee62581827e1090a6f5b39f6e9c157dc4
SHA25686d3f52c8303672d310eb30edf7497e3ffa89961e8b4641ba32b7072c746574c
SHA5124d4537173336337936c841837ba4aa51e35314ff0d332aabd342f71110d7b700327583bc5e900f19ca5208413cfaa13179aca38504fdb87d798231223e9aa997
-
Filesize
1.1MB
MD5a3d82fffd0afe8b0a31acbcf15f48510
SHA18a6e5379591573c98049ec9431965ccb51cd6833
SHA256a3f9372b87f32e708fbd2242401f0589d94901fc78dd534f0f3340c668da70ac
SHA512ee1fa4cd329d45b4bb28a0a4a222599c5ace076d325ecf871fdb250e068f2d483da2c40c7af3e3fe3f943368871728c4b9a128891112bd1113131d7dcaed9f05
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\26afe82d0cb37b64a01a64efd1f06202\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD52f71e7560517a24cf7b41259c96beb32
SHA1774ddbe2b2e8ee11cac98a55e00e947435fff546
SHA256ba0984f8d43c79fbf548882171d724d524cd8ab42705f072e2c9909556051f19
SHA51206938c8914cc5ed9fe231fd34d51118caf29253d03832f28384ce821160d56194da3a3a97946371339e5802438a6423f2c03661a9afe5e1e8298727deae0a514
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5de59c149b15b8aac843891510ed36af\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD5804a6bc4fd83a090b25943d715395b41
SHA17ee234eab43a126ac98716e070b9b16b37e529af
SHA2564400afd24bc9036d983a150f43527af2d0bb654b4b9f56aada9f807ebbebad91
SHA5120663e477160dddf9d0dc88be91548454a089d1cb4a24d9ad086f665a0f52e125da1296f74f33a5c1a2890cd2947df9ea8c0e5d7635e61bc2e297ba68e158948c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\71aa8a61ea7cfa9bcea28cd76ffebaf6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD55c7fe25eb6156533ca7f70b175443229
SHA1670c6b0d0425fa2e818bca08cb2a021ac30efc65
SHA2565f3a4f6205929e8ec44816ce1df868045024a416a17a002678597ebb5cf0b599
SHA5122155dfe628d8d71455bed003fc249bcadab5bb65af31bb992c585b349ee071596b6e60e795e18098cbc5270a55e388df90df651547780bd3db08e423f4704469
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\95e37d89500905056286d1a6a566fe3c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD5ac5f2c38c0def1e115744172fdefec39
SHA1eac6ccd39461e8f9e5ef53e689ed245444f7b25c
SHA2568eb3df39820fec7a42dd2cf57ec7151bc99b546cb5db943f704af8354e355d73
SHA512e3da08b531db783243e1f195abb396f3c73b47a141c07ffa3208f78de4a9b6bd1df42688aff6e4bef59cf409f8edfb3af1ab1e1c36c9b2ea26f0f6fc0ba874da
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
Filesize
1.2MB
MD5f2a4fdbb8da8e3e4133fcf27dbb574c7
SHA13a824a81c4fc3db0a7cb27113089f29ed65091cd
SHA2566436ddd1ecd9272d5cb27665d221a451612d39939d5c71075d24104d964fe437
SHA512a60912fa042baae1f4e0c1553a18a8f030edb385d6733310bc14684d9c27087b37282049bd677f50b292e3c86db2206c1fe94acf0f27f35f33832aa9cb7e3f13
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
Filesize
648KB
MD57e7cebeccd4c19d7cea8aae6be831413
SHA1b0829509f8c2dff44d1d5e20fa9fe5c555d9d697
SHA2567c21f11be204f7bb6972b9487c4114a92046ba52b9833c90b3a7050b2f2e2cfc
SHA5121a6457405705ac46f7af745e9503174bfe64b60155391842c80a324474dec29195ab85c1ef0d2521a086185ea0a4aadd3dd4ac0d65b56dd0368074339c840dcb
-
Filesize
644KB
MD533bd2a1aea8ee1a2d68c9ca1293900e6
SHA192229a907ac323707d90a02a0d6391cf6c9e27c7
SHA25618626a13b7ae53f6305e2d5ce8d057cd622fbee700c42b6304f9bed8fa40e816
SHA5123ed880c6b61a5deac2a39865373aa34e2a8e8f01f56d549ebdbd32df35bcb4092bdb158f95cd8d33b2c1f1d6278e9abae1377b87e2d556726597b9fc1f5c511e
-
Filesize
691KB
MD57ee5f1c414a1bf010a654e11065fe6d8
SHA1312f104b071d05a99e10663af13f6ca45c51029d
SHA25680442cb9d2fffedf9202c2a7af0330d2e1cd6151db3bf331b72983fb593e028c
SHA512a5c7e09c130f1852f38e645ac7bb4e80dfa96b826f731a64641dee7089493e851809931eb457b5f5301daeb112d862749fe5b70c4fa5605ba0531fcb1bc84cad
-
Filesize
581KB
MD5a885f4e84171dfd554af2e264010420c
SHA1a007159283abaa783de5cea63e1c8918436ca171
SHA2565662e10475705ca3150aea8278b205f796bbc53c3c4dfdc07ae8797520b68321
SHA5120376a57a9e273950ad52bb614d88ee3bf59daafada6ec11c6a5e1441989d638dfc9eb9250574a12f9d5bd4509629d60431f95b512a75da2c050b7fe65b4f663f
-
Filesize
2.0MB
MD53df4baf9d9f1cea23d4b02fc4e560c03
SHA1434a7c1e81b22724fe7b3e721251d93984bfde55
SHA256ae23349cba74cd2e081dbbf292cad1043cbaa7683556d573a83c3e75bdc0815e
SHA5126b792acf45aadd205b4feec06a54fe6ff9fa5aac1c21ed5e63861a61bcfa2a0a8ed39a99e8331b47c9ba849748310333997cb537737c4c2b3cd561a08f3b8e56
-
Filesize
691KB
MD51c1e572ffefcd3557ae07d1aba122ad6
SHA1d2962bddcd35c7cc67fe8a2e2a4281be627f1eff
SHA25634567c0166d72b5d5cc6a5e7f81c4da60be17f860f14589a0fc6ed6d24be679a
SHA512dc8b3db9125c9652e8d6d4258432c7de229d060d4a4c7b5a0a076aa5c63e7f80d39e77a45fb852167532783437b0a5331cac43ae054716d9d560486bf187616b