Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
Resource
win10v2004-20241007-en
General
-
Target
9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe
-
Size
1.7MB
-
MD5
27dd4457eec4735d6d71f15175eae9cc
-
SHA1
e1af79fed8f37bd2d8c15418769be24a5f28ef7b
-
SHA256
9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3
-
SHA512
9b974b65f1b35024ce9d12566be546c5d2835b8d0e392c9ab8974b1842a29b73d0343f5f1ebd1948b09516d0b1b6a3d49755e49154b1f48753a6859fac0a41b3
-
SSDEEP
49152:7KxNuLkTcKb4rSUfkVFj6aB0zj0yjoB2:efuLkT5NUQHB2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2624 alg.exe 2960 aspnet_state.exe 2336 mscorsvw.exe 2272 mscorsvw.exe 2140 mscorsvw.exe 1700 mscorsvw.exe 1072 ehRecvr.exe 2396 ehsched.exe 2992 elevation_service.exe 2508 IEEtwCollector.exe 976 GROOVE.EXE 1972 maintenanceservice.exe 2548 msdtc.exe 112 msiexec.exe 2176 mscorsvw.exe 2792 OSE.EXE 2868 perfhost.exe 1552 locator.exe 1336 mscorsvw.exe 1556 snmptrap.exe 1484 mscorsvw.exe 2372 vds.exe 1776 vssvc.exe 1036 wbengine.exe 960 WmiApSrv.exe 2916 wmpnetwk.exe 2900 SearchIndexer.exe 1948 mscorsvw.exe 1692 mscorsvw.exe 456 mscorsvw.exe 2544 mscorsvw.exe 1236 mscorsvw.exe 2056 mscorsvw.exe 3044 mscorsvw.exe 2516 mscorsvw.exe 2896 mscorsvw.exe 1116 mscorsvw.exe 1952 mscorsvw.exe 1236 mscorsvw.exe 1632 mscorsvw.exe 2632 mscorsvw.exe 1456 mscorsvw.exe 1548 mscorsvw.exe 2496 mscorsvw.exe 1380 mscorsvw.exe 2852 mscorsvw.exe 2320 mscorsvw.exe 3048 mscorsvw.exe 964 mscorsvw.exe 2324 mscorsvw.exe 2128 mscorsvw.exe 1456 mscorsvw.exe 1336 mscorsvw.exe 1792 mscorsvw.exe 2568 mscorsvw.exe 1460 mscorsvw.exe 1912 mscorsvw.exe 2508 mscorsvw.exe 1616 mscorsvw.exe 1924 mscorsvw.exe 1784 mscorsvw.exe 2220 mscorsvw.exe 744 mscorsvw.exe -
Loads dropped DLL 50 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 112 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 748 Process not Found 1792 mscorsvw.exe 1792 mscorsvw.exe 1460 mscorsvw.exe 1460 mscorsvw.exe 2508 mscorsvw.exe 2508 mscorsvw.exe 1924 mscorsvw.exe 1924 mscorsvw.exe 2220 mscorsvw.exe 2220 mscorsvw.exe 1144 mscorsvw.exe 1144 mscorsvw.exe 940 mscorsvw.exe 940 mscorsvw.exe 2144 mscorsvw.exe 2144 mscorsvw.exe 956 mscorsvw.exe 956 mscorsvw.exe 1236 mscorsvw.exe 1236 mscorsvw.exe 2984 mscorsvw.exe 2984 mscorsvw.exe 2304 mscorsvw.exe 2304 mscorsvw.exe 2212 mscorsvw.exe 2212 mscorsvw.exe 2632 mscorsvw.exe 2632 mscorsvw.exe 2056 mscorsvw.exe 2056 mscorsvw.exe 2948 mscorsvw.exe 2948 mscorsvw.exe 1916 mscorsvw.exe 1916 mscorsvw.exe 2324 mscorsvw.exe 2324 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\System32\msdtc.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\wbengine.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\vssvc.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\System32\vds.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\701e434c5f6c6349.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\System32\snmptrap.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDD1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5BB.tmp\stdole.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002096176b321cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c09d5468321cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004049166c321cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5051E288-CD93-4D77-AE11-DA7305CAC61B} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 668 jp2launcher.exe 2256 ehRec.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: 33 2948 EhTray.exe Token: SeIncBasePriorityPrivilege 2948 EhTray.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeDebugPrivilege 2256 ehRec.exe Token: SeRestorePrivilege 112 msiexec.exe Token: SeTakeOwnershipPrivilege 112 msiexec.exe Token: SeSecurityPrivilege 112 msiexec.exe Token: 33 2948 EhTray.exe Token: SeIncBasePriorityPrivilege 2948 EhTray.exe Token: SeBackupPrivilege 1776 vssvc.exe Token: SeRestorePrivilege 1776 vssvc.exe Token: SeAuditPrivilege 1776 vssvc.exe Token: SeBackupPrivilege 1036 wbengine.exe Token: SeRestorePrivilege 1036 wbengine.exe Token: SeSecurityPrivilege 1036 wbengine.exe Token: 33 2916 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2916 wmpnetwk.exe Token: SeManageVolumePrivilege 2900 SearchIndexer.exe Token: 33 2900 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2900 SearchIndexer.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeDebugPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeDebugPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeDebugPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeDebugPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeDebugPrivilege 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeDebugPrivilege 2624 alg.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe Token: SeShutdownPrivilege 2140 mscorsvw.exe Token: SeShutdownPrivilege 1700 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2948 EhTray.exe 2948 EhTray.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2948 EhTray.exe 2948 EhTray.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 668 jp2launcher.exe 1612 SearchProtocolHost.exe 1612 SearchProtocolHost.exe 1612 SearchProtocolHost.exe 1612 SearchProtocolHost.exe 1612 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 888 SearchProtocolHost.exe 1612 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2912 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 30 PID 2116 wrote to memory of 2912 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 30 PID 2116 wrote to memory of 2912 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 30 PID 2116 wrote to memory of 2912 2116 9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe 30 PID 2912 wrote to memory of 668 2912 javaws.exe 32 PID 2912 wrote to memory of 668 2912 javaws.exe 32 PID 2912 wrote to memory of 668 2912 javaws.exe 32 PID 2140 wrote to memory of 2176 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2176 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2176 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 2176 2140 mscorsvw.exe 49 PID 2140 wrote to memory of 1336 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 1336 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 1336 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 1336 2140 mscorsvw.exe 53 PID 2140 wrote to memory of 1484 2140 mscorsvw.exe 55 PID 2140 wrote to memory of 1484 2140 mscorsvw.exe 55 PID 2140 wrote to memory of 1484 2140 mscorsvw.exe 55 PID 2140 wrote to memory of 1484 2140 mscorsvw.exe 55 PID 2140 wrote to memory of 1948 2140 mscorsvw.exe 62 PID 2140 wrote to memory of 1948 2140 mscorsvw.exe 62 PID 2140 wrote to memory of 1948 2140 mscorsvw.exe 62 PID 2140 wrote to memory of 1948 2140 mscorsvw.exe 62 PID 2140 wrote to memory of 1692 2140 mscorsvw.exe 63 PID 2140 wrote to memory of 1692 2140 mscorsvw.exe 63 PID 2140 wrote to memory of 1692 2140 mscorsvw.exe 63 PID 2140 wrote to memory of 1692 2140 mscorsvw.exe 63 PID 2900 wrote to memory of 1612 2900 SearchIndexer.exe 64 PID 2900 wrote to memory of 1612 2900 SearchIndexer.exe 64 PID 2900 wrote to memory of 1612 2900 SearchIndexer.exe 64 PID 2900 wrote to memory of 2476 2900 SearchIndexer.exe 65 PID 2900 wrote to memory of 2476 2900 SearchIndexer.exe 65 PID 2900 wrote to memory of 2476 2900 SearchIndexer.exe 65 PID 2140 wrote to memory of 456 2140 mscorsvw.exe 66 PID 2140 wrote to memory of 456 2140 mscorsvw.exe 66 PID 2140 wrote to memory of 456 2140 mscorsvw.exe 66 PID 2140 wrote to memory of 456 2140 mscorsvw.exe 66 PID 2140 wrote to memory of 2544 2140 mscorsvw.exe 67 PID 2140 wrote to memory of 2544 2140 mscorsvw.exe 67 PID 2140 wrote to memory of 2544 2140 mscorsvw.exe 67 PID 2140 wrote to memory of 2544 2140 mscorsvw.exe 67 PID 2140 wrote to memory of 1236 2140 mscorsvw.exe 76 PID 2140 wrote to memory of 1236 2140 mscorsvw.exe 76 PID 2140 wrote to memory of 1236 2140 mscorsvw.exe 76 PID 2140 wrote to memory of 1236 2140 mscorsvw.exe 76 PID 2140 wrote to memory of 2056 2140 mscorsvw.exe 69 PID 2140 wrote to memory of 2056 2140 mscorsvw.exe 69 PID 2140 wrote to memory of 2056 2140 mscorsvw.exe 69 PID 2140 wrote to memory of 2056 2140 mscorsvw.exe 69 PID 2140 wrote to memory of 3044 2140 mscorsvw.exe 70 PID 2140 wrote to memory of 3044 2140 mscorsvw.exe 70 PID 2140 wrote to memory of 3044 2140 mscorsvw.exe 70 PID 2140 wrote to memory of 3044 2140 mscorsvw.exe 70 PID 2900 wrote to memory of 888 2900 SearchIndexer.exe 71 PID 2900 wrote to memory of 888 2900 SearchIndexer.exe 71 PID 2900 wrote to memory of 888 2900 SearchIndexer.exe 71 PID 2140 wrote to memory of 2516 2140 mscorsvw.exe 72 PID 2140 wrote to memory of 2516 2140 mscorsvw.exe 72 PID 2140 wrote to memory of 2516 2140 mscorsvw.exe 72 PID 2140 wrote to memory of 2516 2140 mscorsvw.exe 72 PID 2140 wrote to memory of 2896 2140 mscorsvw.exe 73 PID 2140 wrote to memory of 2896 2140 mscorsvw.exe 73 PID 2140 wrote to memory of 2896 2140 mscorsvw.exe 73 PID 2140 wrote to memory of 2896 2140 mscorsvw.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe"C:\Users\Admin\AppData\Local\Temp\9d34c93328582d606a29e1ce1747284a800659b94b8c6748e1456831c097f6e3.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files\Java\jre7\bin\javaws.exe"C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files\Java\jre7\bin\jp2launcher.exe"C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:668
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2960
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2336
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1dc -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 240 -NGENProcess 1f4 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 254 -NGENProcess 1f4 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 274 -NGENProcess 254 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d8 -NGENProcess 1f4 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 284 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 290 -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 288 -NGENProcess 28c -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1d8 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 288 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 288 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 2b0 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 1fc -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 244 -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1fc -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1ec -NGENProcess 240 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1fc -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1d4 -NGENProcess 228 -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 228 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 2b4 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 240 -NGENProcess 1d4 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d8 -NGENProcess 1ec -Pipe 1fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1ec -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 294 -NGENProcess 1d4 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 284 -NGENProcess 2b4 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2b4 -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 1d4 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1d4 -NGENProcess 244 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 2b8 -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 284 -NGENProcess 294 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2c0 -NGENProcess 244 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 244 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 2c8 -NGENProcess 294 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 294 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 24c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 314 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 324 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 338 -NGENProcess 320 -Pipe 334 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 320 -Pipe 310 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 314 -Pipe 330 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 324 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 320 -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 320 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 320 -Pipe 350 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 320 -Pipe 35c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:964
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2396
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2508
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1972
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2548
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:112
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2868
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1552
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1556
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:960
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:2476
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:888
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51bf4f098fc71bb9da65d016c638fbf4f
SHA1bb11f67de1b7479ba598008f5afc4191b674da5e
SHA25655487abacbab0e88e2214e8387a4468089ffa4d1788c90ea2dca5df16f5b02a4
SHA512083af036667508af06ff9aca9639521a0de0c7f812f834cc37b31fa520fbf3c6a9ebea0826504d686d8c4441ced2d361c5a34719730838a6f672e83daef9ce0d
-
Filesize
30.1MB
MD5a134533ba3aff422d0d4085c3051e6f7
SHA14e25ba88c6381ef616b2311bdd302c0d2c8c936c
SHA256151d10c99dba972d961cc4e373e81a0d592a763df79d485a04fd6aa612c8bfef
SHA51252ffae90391f392598083e43dbf3b28164099698989992fc669f50ce75d991ecb74ceb71a4639e295ac25ee56af9e94ab6ee9f40e442e0b03424e90c80cf8431
-
Filesize
1.4MB
MD52ffec26497065822fb2e3d96ff5053cc
SHA1aaa4dbbe3511188256edba9329a07cdc80ddb94c
SHA256024c9b5ea2dc5c9e8634dd2735679bcb3e6c594f850df19329ad6ad7b517ce4e
SHA5128bd0adae6f04aff5206b40f13a9b2f52ef60f6b79e9c307cd139c8d64cc569fb2431534de3a0d82fb21a350f80d00b7d34bec2d51e602a8249667e0bca170aad
-
Filesize
2.1MB
MD5523826876c0d92dd4a9d0b8d9cc5ed7c
SHA11b5b6f8f3b63faaf3300a20386d03044c41d9cdf
SHA25673cb9b72832ccbbe071f3e3140e6955da4304f15e2e3cca82f0dab30af1a970d
SHA5122005d3d2446a5a650d2ba7249974d47e8d6e32dc4953ed8efce412211b7bc366a7e10b35578b8f9c2d6f40a05cc374d2de7443270a7dba9fb0436af145ea6923
-
Filesize
2.0MB
MD5701fdfd594752e3744aea3a44f2fa0c5
SHA1793dc590deeb19a90d6d89ddd094db14f8ccbcd2
SHA256e73403ebb5adad3e1b566cc6c5a6baa8a2292a7c6802a779f7ca59ab4bb2d0c3
SHA512ea9766ba2eb81a836101b036350f9c1aa5e260c0da62ecd20f48d478181a232e759e348c48fd48c8b975dd0d12c41cafaad425406e0bdc8b0559c92fee45f055
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
Filesize
12KB
MD5bde987640121265de7999403d95f247c
SHA1545a717546e9005276997d4d5abe45b2291f87c4
SHA256f9f4cded6b11ab6a76cdf90fc5ebdfecdc76fdbcdce6a77b4cfb8bfd03bb3eae
SHA51260562db099fc331679d6ae5679133a41a08199900a9f2458fdcdd15fa5d079f155f6986082961dcb0387269494568db03f77dcd03c329c1c2d5d97348ab7ca83
-
Filesize
685B
MD5b36d3dd663ca344a07f7eaed2817001c
SHA1c707db0ab8fd08c91d8f4155a13cd4e9a92d6c8b
SHA2566c1cadc6cf00c82be525c530137c9ce4ad3917c6951afade35ca709105a39418
SHA51257264ffd7dc65021cc24e88e32ab0fd8b3c7fbf089298f00ec1d5b723683bd4cb7aa49b2b592067ffa268b3a17952484f9c9bf48a8a64332bce3154bc5c55ae1
-
Filesize
12KB
MD500e5f72258e6c602e6841bbf4c30b136
SHA152dbdf9eada5d7b0e015fd3523cca5cb915c23c2
SHA256905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807
SHA51250f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7
-
Filesize
4KB
MD54b32df6fcd106cb82b1c15a9552e4c1a
SHA14decbcd95363774326175f76ba08197405c9a101
SHA2561c3da6f84d449d503a9909b1684a03a4c9a31febfc1cec6c895d3e80c06878cd
SHA512d3d0723efcc2ccce47d8a259031d431b905f17384aa742134c2eafbb1ffc483308f7d848e7e2a4fcbe2637e3835f521aba57b86e707cd4193604a9d78a5c387a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5937608b70cc72981430e1fa942c50bd4
SHA13d07752b157e3ec757843b4c126532a5a541a7aa
SHA2564f6289e95955d25da45bb66f5530afa49c3bf66863bda3af5f383909083037af
SHA51257c0b8d205ba5e55cec0decc24c97ba1e56b87e4f109e66b0b645cd7d89effba7787ad0dcdc161d83cceb8a59819f0963f8d1b838b9696424903f73605e38d85
-
Filesize
1.3MB
MD558b474b0940ca5027ae60e2a8ee63086
SHA19b95606a46b3565b1524f80db7738db9972b5d9c
SHA256cff789f703c534a7769f689a5e5f2aaf50d2720aa2796499d26cf82c6ea395a5
SHA5120cf42f93975e391c97da51cd3ae114ea37a43be88ded3c71af868550fd2d84c5a1d2b703cb0344db91e2a7adc697d11149d19685e18b51353dc14f0a6fa3a47c
-
Filesize
1.3MB
MD5b34b161419be491c3bc32d40dfca7059
SHA17e2baf78701f9f15274e032d5b4f26ff7d335e43
SHA256c9a5637df67e0a104d793858ffd8617802b6ce5708e33a0402c90597caff8257
SHA5129e9dea37e1d7c5db20ea760196ba87ae09aab812b44dec160ece0a6c2f5ac5b8a59ca4578c880f5a6d33d2791ba9ea6cfc23e70b6b2a7950b02dd49d716674c9
-
Filesize
1003KB
MD5bf4d5143c92358d0e25ff9840e45b5a2
SHA18d616840280aebde537778a81d6cf30948f121e0
SHA256a94ca520c460f935f47483482634c0dff841be16818fd3688a977f8f40af391b
SHA512c07d700e3af51c2cec6be715b96db0ce9c5adec33512088070f72b0d6206e14463a79204a7f0c35b3adeb9062f854bd2ce9f399d3038ab667f9dba3764e2ad35
-
Filesize
1.3MB
MD593b00e6255d4b9b4ae077271a6fc680b
SHA1da3930531d78a62423f0fce6419357f4465882b1
SHA256ec0e090e3d10ddd5beeb0486f43352c3f2e7319ee3a1923b1e3ca2841723adaf
SHA512068267bad0be6f1c407969f99a572c55b2e07fa19248fa25e89196a9e2671668f8e813c0904f5f712a08ef9e28f05a6cd5406d45f1897445ca333b79e13bd621
-
Filesize
8KB
MD585c7d9b30771272d747b66440767198d
SHA1a77e77dd2a6f9750460e35bf79155f01f465613b
SHA2568c053ab5cb84f1fd97b2a8e0ba1306cc4632d56b3f76f2f2f587dd5987bb4b64
SHA512c0153ff2ef2c5783f7fb0b89b64c0c93b4733adad2a98902c884ed15cc8551d90a5d80c6ede56f2f3f59d65bd862af759cdee188882e40bb95a34761a16aa938
-
Filesize
1.2MB
MD53d1805a243ae3b6fc9dfbc2c6a96c3db
SHA188b4d84051c1f84e5ce6eeb37a3820fc186e5654
SHA2568e6535972e5ed5277a6e6033a0d6d93c74bd53425989c0a2a70fa6da4ff1899c
SHA5120198c80615fd3e9eef81f11a3ce3063328816d8e4dafcde8a5aee9bf749caefc19b14936080cb01b3861b4e39db44a2713f15995ab75209b227a553286cc6fcf
-
Filesize
1.2MB
MD5178a8ad46c5330c2256d56443142d58a
SHA1b4e93c0c0119b82e2ef39d37853edf1ffcb7b82e
SHA256683f366dc234c420a069a79dc824a5c4293db49efe0988a5030622e5303b5401
SHA51281dcc024e125a4740d239a99dd6721ba30be99700ee1b51e5aa6842a0864e7de5e7569b262c03b9a8c69dc7ff86db0fb3b5be667f28679ea3d9dce39014af12f
-
Filesize
1.1MB
MD54c8f2b275208b41deb470d0069c61d55
SHA16e6335138c2141115f3d1c1cf78dd7b771e2fa5f
SHA25696e2119663dcaf259db1040253ef960fcc07c7f2fa386611da0eae0e06cd251e
SHA5126d9d696c1337d366694a02e9a48f62579fc95854fd79a927776eb90fd56b9a46ac17fc706cd8569773f7be15707ee88bd60c9afda63f2b0bdd3ad45da5235db8
-
Filesize
2.1MB
MD53dbe34f47610e39b80a87739fc6bf2c1
SHA1f0dde025a47f9f14ff3d2e98d04f130723a1b7cf
SHA2569f852fb732a3cf5674ef9233da9b8729406e307ebd750a575e015e5ec6719a35
SHA51278b5d5543a2377bba13ee8ddeb7046a17386a866d878bb5db7bdd6784c644c9a6ed72d99d68a4ac0c02052362e9e71626367f830b5eade685681797f348b319d
-
Filesize
1.3MB
MD53fc3fea7db9c065bad1db063745ac307
SHA199ae09f750081295b72ff30b47ff11c61971d360
SHA256bd86f1c923d8de0e8276170dae934a6b3506f35a2699181a50389b42949001e1
SHA5126a7b25d8a13fcdd34149a200728c804b84ef26af4c8a94ef61025073623d790e5eb557e5dcd98c968780bde0ef009761bb16fac983d7f9a87bab53db8894bb66
-
Filesize
1.3MB
MD53b421bbc4cd9106de2b2d9c033a16b54
SHA15edda95441dffba93bbcc58174c6531e09624c7b
SHA256d05ab548f6c0b3fc32a2fea2f8a5fc0f420de90e9ca11959244abe7fe9469019
SHA51266289c7fb14d9f9226760f5430a5112284f62045d568eab419f72d75160e3bfff873e6ebba8c6ce0acd481b95ef6930ef6e52f11b80d7bfde33f2d239434bcc1
-
Filesize
1.3MB
MD5c11a4080c721a935caa4053c2fa9cdb8
SHA1cb71c0dd870208f463c33f4f5e51fbe612196964
SHA256c76328ffc752fd91cfe38b1f6033a52d1fb4fd16be1581a6c1c889b5e4cc96c0
SHA5128a4ab8a4ac4d8efae521e1b1e7dd3a9c9f468980ec4a4d97d104edce1dac42882b389e12bb27231d9b5279b65d170fc7d6ea622ed1f7b8918246916d4a7f6a76
-
Filesize
1.7MB
MD576493aeadfbfb8a342ab58e48d08aa5c
SHA14dd35072f932e8d3907b327524a288a41f66135c
SHA256605208f38859451a3e8c46af92c2fb1575a94a097b5183d4f7cedd79286e25f9
SHA5129f30147b3998e80189d1e4eb29ded99fa4dbfb1e23817146581c2553713f04f1668a33a9047bafea87f2825f384974b61d7745329efb15cc1807fe51d8187324
-
Filesize
1.4MB
MD5acb23af10994943400141651742e6aa0
SHA128b4b30051e18e8c306242201579b08d55f80ad5
SHA2562c8cf2059469900c063df1230acf9401f7b933c0e6aad4d551ca91d9febc9047
SHA512518d84467fcf7be391ece1e73cc21b9f394671e7a6215eb4e849aeb1b185abc06be7b2ef8464d398554f842fe35c96a30a9291c38c010553b56a2380108984d9
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4099ddf4991a876506267bdf44fb1613\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5b8c32c938a8dd190cfb3c96d274f7450
SHA1e05fa6b71533e8d558a48908b3415a616d5ff011
SHA2568b32dfb6eacc14eb685aeb0fe3bfb64e7a4f25c8626cfc3f943d83584d1025e2
SHA512d61f0dfb96b4d884757739adf87c6a7f4bc9d0172f49a78e4a99e9b8db97682926070264b8bde680aa0522808191c2f1761828cbc0f8bc53284d40c28f4b1cf2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\470892f8a0a0f658cc0667296dec2d99\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD59a75efe6ba9eec11da7287360bf177fe
SHA16853e1a69295cb3c40ea3b1ee88bfa176ec98846
SHA256599242240e9c3317af695d13c95c8b093fe154e14b892ed18cf1bb7387732ee9
SHA512ec99b4c386203fd0422310a52af8519b25d73408052c5d2d47bce7110a089a9be1165334d13d8f80acf532c4fdd25e027fae1463ff0097102faad966da6673e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5be0914ec6bc775ef1c7f93f75a1861a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD535aefa05e77d58d31272bb94c0ef25f5
SHA1bef4874a17cfe29939ca24f0adbdaadb80670632
SHA256efbfd4c3ca295cd7fdfc67072136668b0c7de72d40162bc28e6ae919eee6c66e
SHA512e88c5c7e7a37ab8db4ba704d172651de429de39abf8a07f166cf90fad939fdf6bfc94604111bfad534d5159f60e7d63b34a69cc7c55fbe7ad6680aa0a9063327
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8f3fafb134e812c1e276194493ec147f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD514a39bff3c6e92f3478883d751107b7e
SHA1953f62f128012b6e08880cc07c195c5583beeb82
SHA256887a9f9675035810f00f05923c8498075c19a63b4f8d1887365d11e2091a3125
SHA512b343ad59ecdd19b130ea5fc8774b705bfe3ea79ceaacfdc9e8fe706040ad3e2ea7e9f44b23cae6b9c7e8d5edd55b7a3be95bbfe30f77e56d2bee0eb18f1fd9ff
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDDD1.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.3MB
MD53bfc80680b72c3f3502cda06c57016c9
SHA126f5a4284fd920a3306954d73c6f6f54f37b7b60
SHA256fb38a2895bca9b21b75e949be8846510623cdfaa4c603a256285587b63ef7a3a
SHA5128ebb888e22533db6dd047ac2ea2e3a6ce8f27a9f5acc3825ff89e8abd2474b69e52d75c1ba1df40e799807acfd2c28d0a62951f45da735ae52e98f928e84ce07
-
Filesize
1.3MB
MD53f89bb1e799c77cbcd356d872c8caf80
SHA1434ef68bc465107114f578e7e198a298430fe78f
SHA256e7ef64da657fe3be77994e68c956bb1baf193d490a7b008a33ded177ae35c455
SHA5126f8d85aced56c8f6f22ebe860dc3c8c220569ff2a9dcf4d49c2a63f9a4da6efb1d9d99b5f9f1eaceb5c11ab5bb47f5c7402e014b6b8d6399993170e12ce9e883
-
Filesize
1.3MB
MD5ede40b8e2fcdc55011122e0d999c3e0a
SHA1ff851818eac10a9b118ff70f94719024aa6f8f49
SHA2566ac40e4f727058eb3bb2a43d4e757238d209139f00bb2a544b1c3ad958edffab
SHA5126b228b234aee6aa8fafc2e65c3eee8b82e88019ef021d9959d59eceed378da399712a0f310d5e26dec00eec8c95b4f3e0ee3ee110a5ab343289d42dd9abe79f6
-
Filesize
1.2MB
MD5baf6c8f8c1a61a4ec9b5e5f179e0701f
SHA11dcf37600f8c7059d7f5eb987c31a9e96595bb84
SHA256f32457f5caa38e5b5c7f5739033339a4fcf0080b7afcb109d641a6bc295464ea
SHA512f078622d727747ab20c7dad39a2540ef1d26e63b7dfd01122e6de644488c3ea9773a94fed2e9d86995b3793cd10a94475f271b5bb84e1590cefba34d07d33f61
-
Filesize
1.2MB
MD52d7486cbde1d7d4c365fc6cab1f5f99c
SHA1ea525d7904e66574e560fb66ce74db155e0e56bd
SHA256a409752efd067718b72756f116d4ffaa9ca85ebb5cf810b65b79e5ba3ca2cc21
SHA512b26d5100ce40951d2f589b68364b38d53368cb1ce548d858d8280be98b9c413026dc1285cf1019cce2a19205fa221c2ffa01e2a770efe48c3304f27a4e12df8e
-
Filesize
2.0MB
MD5904954c0a73707939cb7dc6aefb7af89
SHA1dd2ed9dcc7ee1eea758896a886ea41057b817326
SHA25675ea80cedd5d0ba0b81c28d72317b0d9228aad82332df9c10b94c0b21315ed58
SHA51280c88f283ac1148e82ed2cc66ec536138930a7fc845bf8b5bc93e5f640fcaa4b9e0e83519b3d289486917fce3489b6497572cfa71246c081719cae2b355bed6b
-
Filesize
1.2MB
MD59ada16e971557df0dcf54178e900d197
SHA101623e8e0c1eb12e127833d4c766c03341689bb5
SHA2565541cba88e327b1cd3579b04e4c268352262fbf0e55b5bf98d128f0f85d37e4b
SHA512748e89fa1373917da1a373ffcfdf2d94084df71a2c1853ac3f6f7effb61b63893cf2bc2853365137bb2813b9a3776bf0c27bc0118ccd3ddbccfc0f74af2f7a8a