Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe
Resource
win10v2004-20241007-en
General
-
Target
87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe
-
Size
2.0MB
-
MD5
1e48e670bd6deb8710ec2983cd929ece
-
SHA1
d048b8dee8642121bc5795ff4003e65fc9056437
-
SHA256
87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55
-
SHA512
cac02ca81acf18161b05623d0e67355c6193935cf4604fcbf2d9524f581c4d6808265ecc7265e5cb78ae869422df54134463b590440660b0ee289793006f036b
-
SSDEEP
49152:Rgi7tbYOMjUfkptVxHErvL73RLSo+2fhl:Rd7tMjUu5krvvRe12fD
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 2920 alg.exe 1048 aspnet_state.exe 2536 mscorsvw.exe 2612 mscorsvw.exe 1100 elevation_service.exe 3052 GROOVE.EXE 1296 maintenanceservice.exe 1744 OSE.EXE 1396 mscorsvw.exe 1560 mscorsvw.exe 2448 mscorsvw.exe 2924 mscorsvw.exe 1676 mscorsvw.exe 1260 mscorsvw.exe 2424 mscorsvw.exe 2052 mscorsvw.exe 1712 mscorsvw.exe 456 mscorsvw.exe 2436 mscorsvw.exe 1672 mscorsvw.exe 2648 mscorsvw.exe 2816 mscorsvw.exe 392 mscorsvw.exe 2808 mscorsvw.exe 2596 mscorsvw.exe 2348 mscorsvw.exe 2328 mscorsvw.exe 1160 mscorsvw.exe 2088 mscorsvw.exe 1848 mscorsvw.exe 1644 mscorsvw.exe 1752 mscorsvw.exe 2392 mscorsvw.exe 2472 mscorsvw.exe 2232 mscorsvw.exe 1716 mscorsvw.exe 2620 mscorsvw.exe 2652 mscorsvw.exe 2060 mscorsvw.exe 2680 mscorsvw.exe 2288 mscorsvw.exe 2984 mscorsvw.exe 2592 mscorsvw.exe 1312 mscorsvw.exe 2024 mscorsvw.exe 2056 mscorsvw.exe 2328 mscorsvw.exe 972 mscorsvw.exe 948 mscorsvw.exe 1116 mscorsvw.exe 2184 mscorsvw.exe 2664 mscorsvw.exe 2572 mscorsvw.exe 2068 mscorsvw.exe 3036 mscorsvw.exe 1148 mscorsvw.exe 2216 mscorsvw.exe 2580 mscorsvw.exe 1776 mscorsvw.exe 1756 mscorsvw.exe 1132 mscorsvw.exe 2264 mscorsvw.exe 1976 mscorsvw.exe -
Loads dropped DLL 41 IoCs
pid Process 464 Process not Found 2652 mscorsvw.exe 2652 mscorsvw.exe 2680 mscorsvw.exe 2680 mscorsvw.exe 2984 mscorsvw.exe 2984 mscorsvw.exe 1312 mscorsvw.exe 1312 mscorsvw.exe 2056 mscorsvw.exe 2056 mscorsvw.exe 972 mscorsvw.exe 972 mscorsvw.exe 1116 mscorsvw.exe 1116 mscorsvw.exe 2664 mscorsvw.exe 2664 mscorsvw.exe 2068 mscorsvw.exe 2068 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 2580 mscorsvw.exe 2580 mscorsvw.exe 1756 mscorsvw.exe 1756 mscorsvw.exe 2264 mscorsvw.exe 2264 mscorsvw.exe 1136 mscorsvw.exe 1136 mscorsvw.exe 2472 mscorsvw.exe 2472 mscorsvw.exe 1244 mscorsvw.exe 1244 mscorsvw.exe 2440 mscorsvw.exe 2440 mscorsvw.exe 1676 mscorsvw.exe 1676 mscorsvw.exe 2452 mscorsvw.exe 2452 mscorsvw.exe 1916 mscorsvw.exe 1916 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1227bf585f6c6349.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1600.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFEAA.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF622.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEDF.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE705.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBA4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3034.tmp\ehiActivScp.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1268.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF1DE.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5226.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe" mscorsvw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 840 87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeDebugPrivilege 2920 alg.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeDebugPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe Token: SeShutdownPrivilege 2612 mscorsvw.exe Token: SeShutdownPrivilege 2536 mscorsvw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 2868 840 87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe 29 PID 840 wrote to memory of 2868 840 87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe 29 PID 840 wrote to memory of 2868 840 87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe 29 PID 2612 wrote to memory of 1396 2612 mscorsvw.exe 38 PID 2612 wrote to memory of 1396 2612 mscorsvw.exe 38 PID 2612 wrote to memory of 1396 2612 mscorsvw.exe 38 PID 2612 wrote to memory of 1560 2612 mscorsvw.exe 39 PID 2612 wrote to memory of 1560 2612 mscorsvw.exe 39 PID 2612 wrote to memory of 1560 2612 mscorsvw.exe 39 PID 2536 wrote to memory of 2448 2536 mscorsvw.exe 40 PID 2536 wrote to memory of 2448 2536 mscorsvw.exe 40 PID 2536 wrote to memory of 2448 2536 mscorsvw.exe 40 PID 2536 wrote to memory of 2448 2536 mscorsvw.exe 40 PID 2536 wrote to memory of 2924 2536 mscorsvw.exe 41 PID 2536 wrote to memory of 2924 2536 mscorsvw.exe 41 PID 2536 wrote to memory of 2924 2536 mscorsvw.exe 41 PID 2536 wrote to memory of 2924 2536 mscorsvw.exe 41 PID 2536 wrote to memory of 1676 2536 mscorsvw.exe 42 PID 2536 wrote to memory of 1676 2536 mscorsvw.exe 42 PID 2536 wrote to memory of 1676 2536 mscorsvw.exe 42 PID 2536 wrote to memory of 1676 2536 mscorsvw.exe 42 PID 2536 wrote to memory of 1260 2536 mscorsvw.exe 43 PID 2536 wrote to memory of 1260 2536 mscorsvw.exe 43 PID 2536 wrote to memory of 1260 2536 mscorsvw.exe 43 PID 2536 wrote to memory of 1260 2536 mscorsvw.exe 43 PID 2536 wrote to memory of 2424 2536 mscorsvw.exe 44 PID 2536 wrote to memory of 2424 2536 mscorsvw.exe 44 PID 2536 wrote to memory of 2424 2536 mscorsvw.exe 44 PID 2536 wrote to memory of 2424 2536 mscorsvw.exe 44 PID 2536 wrote to memory of 2052 2536 mscorsvw.exe 45 PID 2536 wrote to memory of 2052 2536 mscorsvw.exe 45 PID 2536 wrote to memory of 2052 2536 mscorsvw.exe 45 PID 2536 wrote to memory of 2052 2536 mscorsvw.exe 45 PID 2536 wrote to memory of 1712 2536 mscorsvw.exe 46 PID 2536 wrote to memory of 1712 2536 mscorsvw.exe 46 PID 2536 wrote to memory of 1712 2536 mscorsvw.exe 46 PID 2536 wrote to memory of 1712 2536 mscorsvw.exe 46 PID 2536 wrote to memory of 456 2536 mscorsvw.exe 47 PID 2536 wrote to memory of 456 2536 mscorsvw.exe 47 PID 2536 wrote to memory of 456 2536 mscorsvw.exe 47 PID 2536 wrote to memory of 456 2536 mscorsvw.exe 47 PID 2536 wrote to memory of 2436 2536 mscorsvw.exe 48 PID 2536 wrote to memory of 2436 2536 mscorsvw.exe 48 PID 2536 wrote to memory of 2436 2536 mscorsvw.exe 48 PID 2536 wrote to memory of 2436 2536 mscorsvw.exe 48 PID 2536 wrote to memory of 1672 2536 mscorsvw.exe 49 PID 2536 wrote to memory of 1672 2536 mscorsvw.exe 49 PID 2536 wrote to memory of 1672 2536 mscorsvw.exe 49 PID 2536 wrote to memory of 1672 2536 mscorsvw.exe 49 PID 2536 wrote to memory of 2648 2536 mscorsvw.exe 50 PID 2536 wrote to memory of 2648 2536 mscorsvw.exe 50 PID 2536 wrote to memory of 2648 2536 mscorsvw.exe 50 PID 2536 wrote to memory of 2648 2536 mscorsvw.exe 50 PID 2536 wrote to memory of 2816 2536 mscorsvw.exe 51 PID 2536 wrote to memory of 2816 2536 mscorsvw.exe 51 PID 2536 wrote to memory of 2816 2536 mscorsvw.exe 51 PID 2536 wrote to memory of 2816 2536 mscorsvw.exe 51 PID 2536 wrote to memory of 392 2536 mscorsvw.exe 52 PID 2536 wrote to memory of 392 2536 mscorsvw.exe 52 PID 2536 wrote to memory of 392 2536 mscorsvw.exe 52 PID 2536 wrote to memory of 392 2536 mscorsvw.exe 52 PID 2536 wrote to memory of 2808 2536 mscorsvw.exe 53 PID 2536 wrote to memory of 2808 2536 mscorsvw.exe 53 PID 2536 wrote to memory of 2808 2536 mscorsvw.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe"C:\Users\Admin\AppData\Local\Temp\87db4e4f87e40ebaa39eb90307a856267bcfc49c723262105c41d41f899f7c55.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 840 -s 3202⤵PID:2868
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e0 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 268 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 268 -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 1e0 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 26c -NGENProcess 278 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 1e0 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1e0 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 280 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 278 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 270 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 270 -NGENProcess 1e0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 24c -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2ac -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b0 -NGENProcess 1e0 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1396
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 230 -NGENProcess 22c -Pipe 1fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 250 -NGENProcess 108 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 220 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 25c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 26c -NGENProcess 1f4 -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2680
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f4 -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2288
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 270 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f4 -NGENProcess 264 -Pipe 108 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 26c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 280 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1bc -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 274 -NGENProcess 254 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 280 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 1bc -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:948
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 220 -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1116
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 28c -NGENProcess 288 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 1bc -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1bc -NGENProcess 220 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2a0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 1bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1148
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a8 -NGENProcess 264 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1756
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c0 -NGENProcess 264 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2264
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 264 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 29c -NGENProcess 2c4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1136
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 254 -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 29c -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2792
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:3000
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:900
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 29c -Pipe 220 -Comment "NGen Worker Process"2⤵PID:2896
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2dc -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1676
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2452
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2412
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 2c0 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2000
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 300 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:1776
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:2368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2c0 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:1596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2736
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:2312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2c0 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:1116
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 320 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2784
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 2c0 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 318 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:1660
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2108
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2c0 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2568
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 314 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:1124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2c0 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 334 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:660
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:1640
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 314 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 350 -NGENProcess 340 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2360
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 318 -Pipe 198 -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 314 -NGENProcess 350 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:2560
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 360 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 35c -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2440
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 358 -NGENProcess 350 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:2428
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 354 -NGENProcess 368 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 370 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"2⤵PID:640
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 358 -Pipe 364 -Comment "NGen Worker Process"2⤵PID:920
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 314 -NGENProcess 35c -Pipe 360 -Comment "NGen Worker Process"2⤵PID:472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 37c -NGENProcess 354 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1184
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 358 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:680
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 35c -Pipe 350 -Comment "NGen Worker Process"2⤵PID:1724
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 354 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:1576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 358 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1600
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 35c -Pipe 394 -Comment "NGen Worker Process"2⤵PID:2248
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 314 -NGENProcess 390 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1144
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 398 -NGENProcess 358 -Pipe 368 -Comment "NGen Worker Process"2⤵PID:436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 35c -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:1312
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"2⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 3a4 -NGENProcess 358 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:1136
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 35c -Pipe 380 -Comment "NGen Worker Process"2⤵PID:2504
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 39c -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 358 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a8 -NGENProcess 3b8 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 38c -NGENProcess 358 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:2124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3bc -NGENProcess 3b0 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:1512
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:2588
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:2768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 3b0 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2344
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:2252
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1100
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3052
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1296
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD525b671db98bc6f7dab1f92ac835966f9
SHA1b4781f6ea69a7966edba09c0fb41522b2908d804
SHA25640536469f0bfb6a290867c67c99900dc9943f7ba52449ec8277f30d3f80496d9
SHA5125b30f97ff88083688d7443c3443898b2d322bd127f78185bb51680b79eacb506e46e81e03dfc756615b229a0ff7bf7f41cc08cb8cfa7c0d80d58098f1dca165f
-
Filesize
1.6MB
MD5b83162ce5fcd5026c513b289596d57c4
SHA1cdc4356f850cb9976b512a2e7f7b543468fe55f4
SHA25664a7fcb9ea7ca94a6c711a2772fb35d8653d935f6dc3b9570bc5b71bab95c396
SHA5122678ba5678c2459bef4ca826545560a286a746d65eff2235a5c028806ab1a790f94ed8c2bb8f975fc89b77080851001de2d471995d4da5d2d00d07dafd6a28c1
-
Filesize
1.3MB
MD5004b3b30d3064a080e3f6cf4c3153609
SHA1f3795528b24d6f90449502350e4d9f24989986d4
SHA256b608f88e4ed549c6da0948bc29867d710196598b0625c2e47a26ae7edfcc9213
SHA51288269d0078edbc4e6bab97658ee424a471bb975cb726171f8fa0bb5f996c86dbc0f51f9aae80e56bd3d3b50ad863df2a2782cabb31af1295099a63804efc7dbc
-
Filesize
1.6MB
MD5c25b96741d87a8b9e07d6098b0059dcd
SHA13c57c7a0b8e5eecd775c60294a628da6edea726e
SHA256bec8811ddc776e7b22276925f6675b70c715bd81989af8e61dbee7d82fea2a23
SHA512fa283f13de123a297459a250d4701478f05ac49bf3fbd95ff9f93179180338054db9def2b11a9498bfd3fd6ae407c8cc55a1986c75644b29e6628fcb1a8a3dc0
-
Filesize
1.3MB
MD5f2a0fb683a3eb9ed60b0446d10a03063
SHA14adda5f78f3a03e59c56525db2a6635d8ecf97b1
SHA256694a056003539e08c1406a36674cd51900dd146adf19ab6f40df67e0cab6c4fa
SHA51219d3fc279271f201f525060f0b5484a8182c4a8529ead7eb399aab1526666676dbc6b89a85741ca67286f891e160f0970d15e30f043f5f4ef83daa2b72806b18
-
Filesize
30.1MB
MD5d332ca3443aa56c9edb5b3ba34e3ba4e
SHA1423dd1009a7007e3a98ea7cad92d8e2a116a8190
SHA2562b7437737fc511c258b073a4fd802d9d3a1382ba7d7c019f4f4116271b60782c
SHA512db20eed6dc69a7db3973d09a871ced80df671ea4a86c87e3432c0f777d0f6f9d3a6da1be6ff2392ea68d2d9be8d98b753db3cc444789dc35b81f6b6c75a7ff76
-
Filesize
1.3MB
MD53418a53a8f98bfc81204faf4ec4589c6
SHA164546e9c943eb2f8d6a0d2fe81d1aa0acbaca121
SHA25666666c8167b4afdb338c32b54d20ff3ca269d72844f18665905e9b2237abd5d1
SHA5121575ae57195e4c3c3670f7747325c47ace66583037fc40387dfa0c740cecf0cbc73edb007b04aef6dd8da6de0023b61c1f9b7f77d1e0e7c6cc268fa1b8765c53
-
Filesize
1.7MB
MD566ed269a0d88fd9845fea3d3af33834b
SHA10feb2a870d26ca62034960b6e35462d776aee98b
SHA2567a2523e733eedd2d606b3515cb261fa27d31dc40a1d4e74ca583f9c1cc29a555
SHA5120acb50800c5eadbd0b90563af3bd1df4c96290f917a33c89b811d4074fc94a4122732b38ac3ded9e3d7e1eed7347daf41551391f71945e627605ef5c8c4e55a5
-
Filesize
1.5MB
MD502bf19c6ec4b1bb36e67c72df89483d4
SHA196546a757c4056c9726f35b6f7fdf3f7acacf1d0
SHA256bbe13df521b5b8b30617d8a83bb60c9784c0ab4c1337bbe92d1473b1513cac9b
SHA512916005685c0aa72ca50e9149ff7f6b2177dd988999a96078ebcb24ee6172f79f9cad169fbc0afd5e88cf9aa6182f6b07b0ab5ab8089e858c9293f1bdce5421f6
-
Filesize
1.2MB
MD54658d6dfd831b752c73c46e4c25f7540
SHA12c9aa290d15e43cdd84b4cfdecb9d52a573d122d
SHA256692b9e9506ebc786763f2695359ec7dc2d5782d816ab2dfbaada3c3be42ea043
SHA51243041816a4cdcefe86d1ccf952a8bc56af14456047dcc9534f635c2f369047300ae1821bdb63230bc417357d5c5698396ca6997a9db9349bdd11f579ff65f666
-
Filesize
1.1MB
MD541439e6d5b1a0205e4e41b6bd5e6dad1
SHA1a5db8fb108be71276c5737910a7f412b055dc504
SHA256ce50ae1c66149ba3f2c601ca1d63932f633a6e51e769943992e6b70a427ae377
SHA512231369e518834c13de2edcfffa72bdebcd2965cdf20b55e4e444fa77c8febb537c4d84ce5752cb2bf2399de457c6f2ac7bde75683c09f4aaa7c624ec090eefd5
-
Filesize
4.8MB
MD5937e473932808f13d8f168552a4688b2
SHA12bfbc8ec3ad12a6d42ee221a0851834b0574c1cd
SHA2568816ffe95849f8209174592956da1f256f3015aa05185336aa66a2aa7ee4445f
SHA512e66f0a8c2ff49577e319ead14a8403573fa4b581eace3605f29da4b59266cadab65a28c8dba13cdb0fb23609f5e90663659af2ddab3618ebd84c1bbec6cc0c1d
-
Filesize
4.8MB
MD52fbb5e42f3964f001f54d5fd9eeb2eef
SHA1b82a199934098dc34e01d7008621b2c5b3c5ed78
SHA2564cea70125e928e8b72bf960c67bbbb396506820d3c36a036ea0f0596143476af
SHA51212ffb123f952c4cec29da9a283d5cfcc519cbc7422625e9be0b72f8990be2f6a1bf510ce63a77ae086157401d52c39bf63f2a69b862ba8500648aaf2908c9bae
-
Filesize
2.2MB
MD53c09770d6c187d6dc8cf032da018b939
SHA1ff23e49bed6ce1640141858e312c80d9d904c7a8
SHA25668eab9316f1561e26b370bd90e7e66564025a97f478af596a5114ff5da80cb68
SHA512cc987bd7a9b3d7bc9f753a52d3bd88c10516c46787c916a9047c425e0da87019ab7325818670ca1134904d935d01d2a6d2019fede29839828d98f271f253b694
-
Filesize
2.1MB
MD5565c12cfad6ba6c8f13be5cea3dc7e61
SHA197629bcabd4128cf6bfafbd6de5fcd5b49155d47
SHA256c24b96df1ae37f8ef08b3db3da4dc6032b0541b0403707f67810a5b69ea4c1cf
SHA5122a3ac37df646aaba907574545b67f3d7bedf73165369efd6076a78f42c98f6821451bbe4e04b2a092407f800404bf877bfff7864ed793a38871f873918db8026
-
Filesize
1.8MB
MD58784a8a12b6963ab96e530e45edd3616
SHA13b15ce5e24e9fdccb5d156707c62a0014b1fc96f
SHA256dbf520c304599d6c58055618b08e3e6afeea2fda5967a20be5e59155bb3f8ba2
SHA5122b4cd3834488b2089a615ecc19c71fbdfee0436335b2121b98cb4f4e5741df3f5391faecd81afd693db56909cd01ce993c1cad0815b89407eedc956567ebde91
-
Filesize
1.5MB
MD5f30b6bb41468c3ea4c2ad871a49e847e
SHA1089edebebd486263acd97e6c687801acc8aaff87
SHA256dd0b06293488920c8404fbbb81c39b2e8729274052884059ef6e23d9226fcafb
SHA512c77de442bc6805c5594f5d1eda62ec64d926661ca7e8b671fb5530a7a48697ebc46820d0bd847b67c1ba8cae89fdfe162d128708804ef12c2517cdaef612465c
-
Filesize
1.1MB
MD5a977d7bd27192d3125b60c683d149976
SHA159be69e6ec7f3a1ca3d1d03e40b014481afb2ac1
SHA256533600e8f9fe08632ffec789d6ffa83c335b45d1a9aa4b13466e9c0895fc98a4
SHA5122b82fcaa087ab73b13c31a299a7df604323de9d4f77f9fd562681ebd07bb5f712133aa4ac8e5ad37085a3edd3befea3d82ff5568866a0f85392e8a464887a24d
-
Filesize
1.1MB
MD5e993940c8ffc6f63bef96a94839dfdef
SHA14d2baa929a8124b5dfbdf087515761ac63090ce1
SHA2562c22cbaaee36f45700d13ee5e246450e8285d96fcf82437ce4e4c15c419f79d0
SHA512853b3d2cb2ac8a912b1c06218f491f8be09b8b2823d6b50dd9de25e8dbbb4932634ff3a3e7ce2c4f61c818667eb34a8ca349823a2a02df307a9e5785e568a267
-
Filesize
1.1MB
MD5b2dfecbe3be532c069baa63af129af71
SHA193a11142cd9ada2eaf67a756b8d34e3fbe1301df
SHA25630031eed90120e2e1e09b7e6a9741b7317ba77e014623dd37a0685dfb56c4119
SHA5128306d2010d2e20a129a7ee3436bbac927909f064cd070879b690e711d0602067aa7dcf6383593c26be505367717aac15f16d04aaa73a043c5bb90289ca8cfc45
-
Filesize
1.1MB
MD5e0cc7e1e8de69245d29a8bf691448ec0
SHA16f4743951523571a94a16edb4833caf3acdd95c4
SHA256b3c041dd9dd3506061444cc43b3e93c6c83b038445b48ec1202ecb81ad3086e3
SHA512757ef6fb7d76a56b765db578c73842784dbc4a41517b627898ebed3cb7a1c0b54f3eeb83f0cbd63bf40fc9aa298cdb3e57a12d84b83b8d24b99fbf2b5bddf649
-
Filesize
1.2MB
MD552d8bfe016b812a9c39e2f340431dae1
SHA19b0fcfa36b0ed4161f05c2f5085a2f4d831282c3
SHA256da1dc357935874051a481004c557cd0035ea8806ea787876d5a7040fe093d529
SHA512bb8dc5ba96ddceee3005986b585519fc72aa3b68de26ed8cb594a78bf9e525f9a79d8a2664eb4b497b803c97e73b28e0b29900a45ddcac7b26024213064b9990
-
Filesize
1.1MB
MD53d378c019d975a3da00261ec85465408
SHA1bfe9546c391a0d674ce7617ac294bdf0fa05ea88
SHA2569eb6048ef42e92ab0bba46716c322a13e3a944831a4e1aef5ad26308f6c9e31f
SHA5127c7540e1d965d01c2fba84d02666b7199d84f3dbe7fd3785cb9f2b5df3ecf6231bd0d2e5d59fafca1331e472d9aa03e21e38334eaba61d90c254eb4ac7f2688c
-
Filesize
1.1MB
MD5a94a2a80f58abd138907a6e5f25b68b3
SHA1c249e06e2746959cba77de5ae26abb6733b313b3
SHA2562ce1b6f5c2e54a2e7e346bb0eb88bb3b0de4973b424a47cdce8ce6d538ad77d3
SHA51248dd280e9b9cf8ffd03fb09f13a8fe4683f5eef284faed6fbb097ab559183c433adeacb4ec4ad742d6d4c62abbbbdd1915457ca6b0eba72acc90bae43c5dd831
-
Filesize
1.1MB
MD56cb585990840f3b07bac495d68dd3b6c
SHA1d33325525e00cf53e34d710bf330a2ef2561cedf
SHA25672d0a204782d4c8b9ade3d91dd981ac3a5d2e9640714796a8b70236076a07e7d
SHA51286a9ffbbb64bd4d66c138643696a3fd1d3112a16e3cff65128ead535bd49378605e7850b86404cdf44b2dd8f528f65b4feb6ada2f3b3fde353fdc17c7eb0c424
-
Filesize
1.3MB
MD5cd83099609cb802bb79f945a0bf2ac49
SHA1853f63c009b7f05db601c58fb7977690b62d0629
SHA25646fcb5863dcc103d8fcbcbec835df6fdf7abad4c2d06fc0204805eef28a9f689
SHA5125b4c3b28ddae7eba5ed4df3a7797c98d662e0d0665304da53fd01ac4ac6838de17f00f666c998a7c5d8ef024a88672b06d462c750fb501d4a1fb34e2d2bb3c52
-
Filesize
1.1MB
MD5644d78a7fc5ff1d45b1bdb79ccfe1c01
SHA1cee29a281b25145f59031c4f90d3714a4d1ea9ff
SHA25692a7d871e97af2422792e351c0687de4934ca0251c5281bd3f57eef5a7235820
SHA512e2ce00953669bf9c1ffa570936035e018f4cebec5a91846564473846f8e6cb6b69605fe6b21b43e73b94e17043a7f1c6bd33540b0cbc328ec7dd1a9356a30785
-
Filesize
1.1MB
MD563a1be0f75c5ffa922527655b8450796
SHA19a5a661cfa6e2930cb9ef2e641197bc32e41fefe
SHA256bbdc6514ac76ca15532ea0555d2baa1a4cc1fb6bbe6d59f507c59f738720670a
SHA512cd67aa6ab790ed5dccda008746702eee5667626319aaa59b32b48ac9971e58837b03d6ff03d038f49cd0d79a4e578649faeeb7e8ad77b7562cb769bde224eea0
-
Filesize
1.2MB
MD5b5a01ab5a888bbf5ce7e546b999d8b62
SHA1ef9e444d9962888e4eb326ab656176182788b8e0
SHA256644ac0ce9389d9bce3ce851b111ee7a2bc490d2fceef92024e88abe04f6c467e
SHA51214aa13f44484e210bbd343c1cefbe5dace4b6131656fd2c8e27a127a33fb7e9ad55710aae3aaa35ded0c0c3380719aafd917316c7404ab91ab29160d2e9d914b
-
Filesize
1.1MB
MD523cef698708c5d8c994a8a9793f2447a
SHA1d0e63fe7626a4d9f030aacf932d3b2eeed8928b8
SHA256501f64b62fee106b51e4f94f2ab84c6691c22a62e4f62a21e2252c269e2b4e2a
SHA5126260882f499d924cd6f1ab9136a5fbd8bfaeff6c534cffda5d3f985e2c9d54f81b3554d759595f6808133d4877e14fe7dcffec29bcdab06e88cceb3b6c219e0e
-
Filesize
1KB
MD5c85eb6df7d06bfcd6e18adda837577f6
SHA12ab35af815cc7421309c4a6f6e2fd6c46bf89198
SHA2564612ce909b0bf1285bb6dfd2d49b57ac78c7ec944d4821acc3fb8dc2b809cc14
SHA5121a2e121f7e8a544812ab4235e207f51bdabc427f64739033e82da32f86c350576ae6c9cabacde6a0e3d30aedb6a0eeab233b5a1678ccfae2e80b07bd14f932b1
-
Filesize
1.2MB
MD5c5e513c9bf1213aecaed4bfcf3c92f8f
SHA12d9166d117868d1680e07fba0a5810a8c18642a1
SHA2565a696cfe4c93529eaadff9d0015e8a5533d77895836c53c23180f7c92c54cb5d
SHA512333df6f5870f2b9ed662c40beb07762c7ca9e45717fda65520efab737fa2f6a787152f8d928c4abee99c8a76389ae80c4fe8923fafd5a58d495d5014ecaba5e5
-
Filesize
8KB
MD55877d94f5882b8fd1341d9aa4ecc10e3
SHA1a902c57d1a9b16d803f903f733756144c2a14418
SHA256f9aab3d349b1cbcd6f686b075e299a17f10ce120939b302d82bb88f86cab0bda
SHA512cc19de2451d29728632dc72d603397688d0bba051d79e629dac790f952c463a5d384ba3a68425c44e18cb62394b55f0bbd574bcd5c7da0198b1f5a1c61706f12
-
Filesize
1.2MB
MD5cddc17668971cc7c8879c4a99ab6e577
SHA11faf8924773e2703b9f7c1f8e2d07d3d2d121957
SHA2560b5dd0181aef4149e572f6739a69d568d2e3758464b28cdc36317adb89887def
SHA512afda27c7da9be0c9991d14922df88be986e2fb948f8bb5104ab098656f375cdebe234d06d280bf3c9255a092c08f61ef85a22d21a807d588f9b96880e558c78f
-
Filesize
1.2MB
MD5963881ee892a17df79425f9c5eaf1be4
SHA13cad1464f17e0a23102283da252793e53e77fe5b
SHA2564c495100fe076e4b5f508bb2aa5e99c80659e98e7e87271f41cfe8955e0debde
SHA512e79795d6d8bc8ec3c14eec4b5b69d39367eec6205f9800b41b6d116762bf3d57524f1e7b70a7b1a1d8caf6c36d3e7ef8967f353d07b17dd2d129d86240ce884d
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize105KB
MD5d9c0055c0c93a681947027f5282d5dcd
SHA19bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA5125404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\00930aca72754d7723d50c263bee2d30\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD5f41a636a190eeddf16416d92dc084423
SHA148e8ffa894480b989165a257ca11923d10a66d75
SHA256c5efa31dd3c346f9db14b13826975346b147e7eb856017566f7fa153ca4f911d
SHA512859380a1a8a5bb22b7baba717056615efb237445aee9d62a41ebade526aac0b00a3f99e32161d13a0161cf687f8408fa5d80a772025be9ecdb0c322761f967e2
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2441ead3246dd40d0e224adc999e540f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD5e6b71c83ddaf7f60d276f4c3458ebf90
SHA1a038ddcadc89b91426b61abcd6ab98d0a38eb0eb
SHA256c346f68104c0120eb81d08f8c6d3eef7724f3261d4ada2da1491188e707cccf0
SHA512773a4f7a35f92e3a4b97376fc3e186d2f0574161f72484a19fa964657dcc38005bc1f6be23ff1ca76ef1ddf116f179f1227b5384f19aa5c515264440be55a25d
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a1a4ebbbe29299fa354f44b78ecf4914\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD5f1f5bebce937562dbba6d5347c107841
SHA1ea5576cd798397968bfd1b935f09236793c985ae
SHA25608cf1a71d0c45a1bc8eced4610ff915d0e45f4857c117e6c621ee586bf8f19b3
SHA512a4d1c6af06be7a806c80e7cfefa54362aaf7ed559b7406c4aca220319fc1a898387c2df5f452b223fc70f59f25a3bba03103c59f735a461d508bdc1852c37280
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bf745f994f4713fd29603d334d8985b0\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD5be887f9f2241cdc21e7486fec5fc5dd9
SHA160bcb8680ac8fb112413c588b94fa1e2b5bee5cc
SHA256900dec2089b0f7093239bef187318cc318c170fbc64e132951903795bb125765
SHA5124561eb6b99e8ff1f523a485e3226d93c3610cc7b512c35ece6735c8732bd10b0679ca089274d572afa50478aabbc1bd68da38d4f8d6934cdc962d6226b512ab6
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
1.2MB
MD53b2c0e310f7b19b13177190f790dbdcc
SHA12716d16dd099f97810bd328b937cf96ded684b6d
SHA256e9f1f6bac7b2cc03b513b4c5321591a2373440bc3e086c39cfa28be5bbf7483e
SHA512aa844bc50cc3a3185788733d6ce26662268bb4380b2e2a63ff02412bcd907584bf62a55180e633aabba96c43c41fa8a15ac5005a1fca09447f5343ccb8936ffc