Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe
Resource
win7-20241010-en
General
-
Target
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe
-
Size
3.8MB
-
MD5
1bde070a00ddc6ecb6e635da721169aa
-
SHA1
e0df83de2cee40abc51085191171ec14849f8231
-
SHA256
0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4
-
SHA512
22446881983eba9e8f4b20cb4a898c4e0c84461268b034ae46c35485d4ae0576fec27d6efa13dde5cabc81aa4ecf95ab78a8573f9b2417bb26d26ba00032791a
-
SSDEEP
98304:mdV5gl+udWkPANymW1FDUggBFfMBdfFLOAkGkzdnEVomFHKnP1/iyB:mdVOpbAqDUggBFyFLOyomFHKnPl
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 460 Process not Found 2420 alg.exe 2496 aspnet_state.exe 2820 mscorsvw.exe 2988 mscorsvw.exe 3028 mscorsvw.exe 608 mscorsvw.exe 564 ehRecvr.exe 1532 ehsched.exe 856 elevation_service.exe 1356 IEEtwCollector.exe 2376 GROOVE.EXE 1544 maintenanceservice.exe 2224 msdtc.exe 2836 msiexec.exe 1552 OSE.EXE 1692 mscorsvw.exe 1192 perfhost.exe 2292 locator.exe 1152 snmptrap.exe 2552 mscorsvw.exe 892 mscorsvw.exe 1704 vds.exe 2844 vssvc.exe 2980 wbengine.exe 2676 mscorsvw.exe 1972 mscorsvw.exe 1612 WmiApSrv.exe 888 wmpnetwk.exe 3016 mscorsvw.exe 2928 SearchIndexer.exe 1236 mscorsvw.exe 2504 mscorsvw.exe 1448 mscorsvw.exe 1544 mscorsvw.exe 1304 mscorsvw.exe 3036 mscorsvw.exe 264 mscorsvw.exe 2776 mscorsvw.exe 1424 mscorsvw.exe 2320 mscorsvw.exe 1628 mscorsvw.exe 2544 mscorsvw.exe 764 mscorsvw.exe 1656 mscorsvw.exe 972 mscorsvw.exe 1512 mscorsvw.exe 1760 mscorsvw.exe 264 mscorsvw.exe 1064 mscorsvw.exe 3016 mscorsvw.exe 844 mscorsvw.exe 2236 mscorsvw.exe 2368 mscorsvw.exe 2228 mscorsvw.exe 680 mscorsvw.exe 1540 mscorsvw.exe 520 mscorsvw.exe 1592 mscorsvw.exe 1700 mscorsvw.exe 2328 mscorsvw.exe 1456 mscorsvw.exe 2072 mscorsvw.exe 1972 mscorsvw.exe -
Loads dropped DLL 52 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 2836 msiexec.exe 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 748 Process not Found 2228 mscorsvw.exe 2228 mscorsvw.exe 1540 mscorsvw.exe 1540 mscorsvw.exe 1592 mscorsvw.exe 1592 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 2072 mscorsvw.exe 2072 mscorsvw.exe 2144 mscorsvw.exe 2144 mscorsvw.exe 952 mscorsvw.exe 952 mscorsvw.exe 2124 mscorsvw.exe 2124 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 2232 mscorsvw.exe 2232 mscorsvw.exe 1616 mscorsvw.exe 1616 mscorsvw.exe 2020 mscorsvw.exe 2020 mscorsvw.exe 2228 mscorsvw.exe 2228 mscorsvw.exe 2464 mscorsvw.exe 2464 mscorsvw.exe 2636 mscorsvw.exe 2636 mscorsvw.exe 3016 mscorsvw.exe 3016 mscorsvw.exe 764 mscorsvw.exe 764 mscorsvw.exe 2184 mscorsvw.exe 2184 mscorsvw.exe 2232 mscorsvw.exe 2232 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\IEEtwCollector.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\msdtc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\msiexec.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\vssvc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\fxssvc.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f19c755b5f6c6349.bin alg.exe File opened for modification C:\Windows\System32\vds.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\System32\snmptrap.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\wbengine.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDE6D.tmp\Microsoft.Office.Tools.Common.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9EAF.tmp\stdole.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8066.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6A28.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6613.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP82C7.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1308 ehRec.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: 33 2328 EhTray.exe Token: SeIncBasePriorityPrivilege 2328 EhTray.exe Token: SeDebugPrivilege 1308 ehRec.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: 33 2328 EhTray.exe Token: SeIncBasePriorityPrivilege 2328 EhTray.exe Token: SeRestorePrivilege 2836 msiexec.exe Token: SeTakeOwnershipPrivilege 2836 msiexec.exe Token: SeSecurityPrivilege 2836 msiexec.exe Token: SeBackupPrivilege 2844 vssvc.exe Token: SeRestorePrivilege 2844 vssvc.exe Token: SeAuditPrivilege 2844 vssvc.exe Token: SeBackupPrivilege 2980 wbengine.exe Token: SeRestorePrivilege 2980 wbengine.exe Token: SeSecurityPrivilege 2980 wbengine.exe Token: 33 888 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 888 wmpnetwk.exe Token: SeManageVolumePrivilege 2928 SearchIndexer.exe Token: 33 2928 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2928 SearchIndexer.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeDebugPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeDebugPrivilege 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeDebugPrivilege 2420 alg.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe Token: SeShutdownPrivilege 3028 mscorsvw.exe Token: SeShutdownPrivilege 608 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2328 EhTray.exe 2328 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2328 EhTray.exe 2328 EhTray.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 2116 0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe 576 SearchProtocolHost.exe 576 SearchProtocolHost.exe 576 SearchProtocolHost.exe 576 SearchProtocolHost.exe 576 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 2552 SearchProtocolHost.exe 576 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1692 3028 mscorsvw.exe 47 PID 3028 wrote to memory of 1692 3028 mscorsvw.exe 47 PID 3028 wrote to memory of 1692 3028 mscorsvw.exe 47 PID 3028 wrote to memory of 1692 3028 mscorsvw.exe 47 PID 3028 wrote to memory of 2552 3028 mscorsvw.exe 51 PID 3028 wrote to memory of 2552 3028 mscorsvw.exe 51 PID 3028 wrote to memory of 2552 3028 mscorsvw.exe 51 PID 3028 wrote to memory of 2552 3028 mscorsvw.exe 51 PID 3028 wrote to memory of 892 3028 mscorsvw.exe 52 PID 3028 wrote to memory of 892 3028 mscorsvw.exe 52 PID 3028 wrote to memory of 892 3028 mscorsvw.exe 52 PID 3028 wrote to memory of 892 3028 mscorsvw.exe 52 PID 3028 wrote to memory of 2676 3028 mscorsvw.exe 56 PID 3028 wrote to memory of 2676 3028 mscorsvw.exe 56 PID 3028 wrote to memory of 2676 3028 mscorsvw.exe 56 PID 3028 wrote to memory of 2676 3028 mscorsvw.exe 56 PID 3028 wrote to memory of 1972 3028 mscorsvw.exe 57 PID 3028 wrote to memory of 1972 3028 mscorsvw.exe 57 PID 3028 wrote to memory of 1972 3028 mscorsvw.exe 57 PID 3028 wrote to memory of 1972 3028 mscorsvw.exe 57 PID 3028 wrote to memory of 3016 3028 mscorsvw.exe 60 PID 3028 wrote to memory of 3016 3028 mscorsvw.exe 60 PID 3028 wrote to memory of 3016 3028 mscorsvw.exe 60 PID 3028 wrote to memory of 3016 3028 mscorsvw.exe 60 PID 3028 wrote to memory of 1236 3028 mscorsvw.exe 62 PID 3028 wrote to memory of 1236 3028 mscorsvw.exe 62 PID 3028 wrote to memory of 1236 3028 mscorsvw.exe 62 PID 3028 wrote to memory of 1236 3028 mscorsvw.exe 62 PID 3028 wrote to memory of 2504 3028 mscorsvw.exe 63 PID 3028 wrote to memory of 2504 3028 mscorsvw.exe 63 PID 3028 wrote to memory of 2504 3028 mscorsvw.exe 63 PID 3028 wrote to memory of 2504 3028 mscorsvw.exe 63 PID 3028 wrote to memory of 1448 3028 mscorsvw.exe 64 PID 3028 wrote to memory of 1448 3028 mscorsvw.exe 64 PID 3028 wrote to memory of 1448 3028 mscorsvw.exe 64 PID 3028 wrote to memory of 1448 3028 mscorsvw.exe 64 PID 3028 wrote to memory of 1544 3028 mscorsvw.exe 65 PID 3028 wrote to memory of 1544 3028 mscorsvw.exe 65 PID 3028 wrote to memory of 1544 3028 mscorsvw.exe 65 PID 3028 wrote to memory of 1544 3028 mscorsvw.exe 65 PID 3028 wrote to memory of 1304 3028 mscorsvw.exe 66 PID 3028 wrote to memory of 1304 3028 mscorsvw.exe 66 PID 3028 wrote to memory of 1304 3028 mscorsvw.exe 66 PID 3028 wrote to memory of 1304 3028 mscorsvw.exe 66 PID 3028 wrote to memory of 3036 3028 mscorsvw.exe 67 PID 3028 wrote to memory of 3036 3028 mscorsvw.exe 67 PID 3028 wrote to memory of 3036 3028 mscorsvw.exe 67 PID 3028 wrote to memory of 3036 3028 mscorsvw.exe 67 PID 3028 wrote to memory of 264 3028 mscorsvw.exe 79 PID 3028 wrote to memory of 264 3028 mscorsvw.exe 79 PID 3028 wrote to memory of 264 3028 mscorsvw.exe 79 PID 3028 wrote to memory of 264 3028 mscorsvw.exe 79 PID 3028 wrote to memory of 2776 3028 mscorsvw.exe 69 PID 3028 wrote to memory of 2776 3028 mscorsvw.exe 69 PID 3028 wrote to memory of 2776 3028 mscorsvw.exe 69 PID 3028 wrote to memory of 2776 3028 mscorsvw.exe 69 PID 3028 wrote to memory of 1424 3028 mscorsvw.exe 70 PID 3028 wrote to memory of 1424 3028 mscorsvw.exe 70 PID 3028 wrote to memory of 1424 3028 mscorsvw.exe 70 PID 3028 wrote to memory of 1424 3028 mscorsvw.exe 70 PID 3028 wrote to memory of 2320 3028 mscorsvw.exe 71 PID 3028 wrote to memory of 2320 3028 mscorsvw.exe 71 PID 3028 wrote to memory of 2320 3028 mscorsvw.exe 71 PID 3028 wrote to memory of 2320 3028 mscorsvw.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe"C:\Users\Admin\AppData\Local\Temp\0989acd01e093156e46927215993ce5805d0fe7bfe077734e94b97c0685a45b4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2116
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2988
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 244 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 1d4 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 270 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 27c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1d8 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d8 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 290 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 290 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a0 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a0 -NGENProcess 278 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 254 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 27c -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 23c -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1e8 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1e8 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 27c -NGENProcess 248 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a4 -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 244 -NGENProcess 1e8 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 248 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 248 -NGENProcess 2a4 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2ac -NGENProcess 1e8 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1e8 -NGENProcess 290 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 2a4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 278 -NGENProcess 290 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 290 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 2ac -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 278 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b8 -NGENProcess 254 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 254 -NGENProcess 288 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c0 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 278 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2c8 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 288 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:1524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 23c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:2052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 314 -Pipe 308 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2f8 -Pipe 30c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2e8 -NGENProcess 310 -Pipe 25c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 208 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 324 -NGENProcess 2f8 -Pipe 20c -Comment "NGen Worker Process"2⤵PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 310 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 208 -Pipe 31c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 310 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 208 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f8 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 310 -Pipe 328 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 208 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f8 -Pipe 330 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 310 -Pipe 334 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 208 -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f8 -Pipe 33c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 310 -Pipe 340 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 208 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f8 -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 310 -Pipe 34c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 208 -Pipe 350 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2f8 -Pipe 354 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 310 -Pipe 358 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 208 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 208 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 37c -NGENProcess 2f8 -Pipe 364 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 36c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 2f8 -Pipe 310 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 384 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 304 -Pipe 37c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 374 -NGENProcess 360 -Pipe 39c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 360 -NGENProcess 390 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2260
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 3a0 -NGENProcess 304 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2288
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:608 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:264
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1064
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:564
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1532
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2376
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2292
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1152
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1704
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:888
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:576
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1668
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD58d6fe846d4e7bf8c4e66d6ded7d98807
SHA1f5f6faf6295287c5818e1f473df4291397f393bf
SHA25608480ea37d0552637fa6b1fd33c655e0b9ed387d7d50bbe6ed30cf3ba3f7ede9
SHA51249f08eb5082293dc12d98faaa6c64728b6c552795ac063615cd1bfa44d627a6fca0a9b1e1a186304bb70ebf51528e9800ed8cd24e5aa2a58aa946df6e976a05c
-
Filesize
30.1MB
MD5c6f1363e94b53e33ac441c31cf333aff
SHA19e3e96fdff4c29a2ace615853288cba5bab50f4c
SHA256d2467a439faf0bc53f0d4e8cb4e29ca99a662c02727df8c91cca222a71efebb9
SHA5120d31184c38856f7bc296c80ba6d35b3d1f15a170e470a55e7c28814bac8ae7ef7a1382ffabebbedbbc96f66be9509dfad388fb3ae3ddf0bb8c5213709f401b91
-
Filesize
1.6MB
MD594d270afae9a6e216f3e6c1c2b876469
SHA184aff656ec62f8aedf3b0d7fb09b3d6f28b69884
SHA256d93925b61de52b27eaa16caa5f26a02bf080c227d0058612722488265ed7a8ea
SHA512166989c172b3a61b0594610033dcb098c14deae6435050dfe48579a597607e9e649c46b869bc9984f7960c79250bac2f45c8ee9b76be5dce2056feae6a77e510
-
Filesize
2.1MB
MD5c2504abfc7646b15500487a88b6b4668
SHA1bcbc97194581430ecdb8709d26f0ff717fed757b
SHA256ad0fabdbf55be545590b70519bf200aff1179e5806791fb2e2e6ece9bb1f19d4
SHA51251c490dee1901dd64d840bbe7866ae0e683aa314d2bba040cc90b0954654ba6c01b03dad65355a5f510f32e2cbcbd40828b9d58178f3071c74e80f5bca26ae45
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD584594ff70f0606c1bb48befb0b49ed0c
SHA12a96dd00da92d0cb2e13875fd50269e23aa61ba2
SHA25640f68452a3f2aecea38529b717ef6581742027de172540a1802bb50483a85fef
SHA51227914115a49c5d0f9de8fcd2064b3c93de7b933bb1b2bd31a8f09fdd23f7ae99b99f351692428c429f39698e5a3ce46add933b6fe1db23d3c70666d58ff2a365
-
Filesize
1.5MB
MD53831f755ded6d4a9b9f615b06e69f62a
SHA147f974b87ea7028452d8cb87e125cc97ea1659ce
SHA256ff568c0c2e38918cce6fda690654ad6389eb0fac9c0b0c51ed84c23b7fcf41f8
SHA512ac02931817d4b2406faf0cf28e10fc74a9ba6be348e0c374441373072e7abe3884c38daaebe979d96821a5da86a35ceee810523f5fb41014d9f3f018b42bf3c4
-
Filesize
1.5MB
MD5c0b697843278e32a47e458e5d4e316a1
SHA1c47053b148932156744d4aeda408e02e1fac2f26
SHA256367ed4b0cae80e56b5c8504ec994ef5fee276f3195d25a58f10efd8691134c81
SHA512e4a1a0faae22dcd97b27a13ad914573b0293dad1dd51e4deb490b1f40954b02cc0729ca0527f093fa274c69582afaca183d4d3e947938d32715f05e73315a065
-
Filesize
1003KB
MD51ed82ff5a869f082380e0cd57bf0a520
SHA1e2cb01e5bc2621d99eec6c9f29c0981b9715cd68
SHA256d8c915cc4b8137265061c1b100438a77161d0cdb5bfc36eb840e2feb0aa500a4
SHA512069743c0471abab491ea9b797a69c2d4cd40c0b6a3aa2737a5da717a42a89bf91f93d68e520d39a1cadf79839dd069813064b766abbd68262e6bea5174663af3
-
Filesize
1.5MB
MD56428bbbffc23f8f5a54d6e66dd232cca
SHA1ca351adc93b6387d90cfaffe6623ee9519cfe752
SHA25691e9694d724b18d3a52205abd90774576106448f1117756dcda7cfd891507398
SHA51216233e564b1824b66f9e91d6c3ee96906928380a9c04cf634adf30011f1af199cc9cf34fb0032f647683957c5fe5500cfbb1dd4e3cea1b4e3d13caa40080a248
-
Filesize
8KB
MD5b1f14cd719b96aa01517e532fe9efc6a
SHA14454220001d8f3a1dc26843fac84da1621c38852
SHA2561e53b7e58746d786a4c7408fcac6bb6ac875b2f2bbb82394b9df820906a88c24
SHA5124518116d2026fd89ac78438c18f8d2b2283ecf060ff904f465de9d8d956beb69045bb3087adaced72783df9f86a0672ad13feef9ce3c0fbc4038c5bf74f422f1
-
Filesize
1.4MB
MD5a4a50e21bec9869d340b490a588c60fa
SHA1bddf59a60074f37e23b7b635d82c05c003fefba9
SHA25631b9c56337853c78fab6eda78b21f44d0118c7868dbd8da2775ef6d65a7d3f21
SHA512139e3f70b75d392a38a0ed1654a551add73496e5049872ee540442e5b4cc5568957500fa9935a819312570c7372274fcd8c0a37c72cc82aa729793ee448677d7
-
Filesize
1.4MB
MD505603e94944d55688bd43b4ceab35563
SHA195cbd164ff34bfde1a632fd29f23e8ca17585d60
SHA256de4f837efe479fdd02029de75f44a546f9d315fc2a7f1322e7fdf7614aa583b4
SHA512184fe0bdc85e3eb2451a91ef3ac576e44e4589e614b4bbe15d42255e4074b81e16b037cf9199b52f5664efca3776806e9888c1a796ea9dffd0f7203d932d1360
-
Filesize
1.1MB
MD5a786564213e4bb74ace7029f756c8372
SHA16e2efa6278cd066c45dc0295b2bf39273733debb
SHA256b62e1bb53473b48cd8ca1527b1730f241762f1837055dadb75ac65c15b9c5778
SHA5128eadde87446a82520e2808a2a275e5c6b138fe37433dc0e70a85cb6b2ae74e6014ca7df04031dc651f7c88a0187c3200b68b19d866e86536396ff2875b303d06
-
Filesize
2.1MB
MD5eee95009c7094b7d1cd4983802dd98a8
SHA17ce4924174d128b3409c0b9d4587b9922b34fba7
SHA256e409c293b194f8955ee7b35e5a22ee7eedf6bda0345b7094856b35ee25302086
SHA512754ab96e55bebfc74b18c649dc3525a10f4311dd8e4ffdcda785c4714bbfbbc7bfdf916b02cf530d29fec114f136fdc65fd0f26b520d028a6cb973800c9a313b
-
Filesize
1.5MB
MD5d2680eb933e46586157501f102585a78
SHA12c8a228eeb5b65143ec32f4ea120c5c63245b97f
SHA2566b908d70e7552073863bd57e1e2ad7ecbb19fb7292faecf224e3f2eb8248ad3e
SHA512ac301c6422a0296e59b15baa243bfccd48a6bcfd0ba895d9383eb11dd47fa1822513f6651164d7b02f6a63ddbb793a4cb4fc6ae7a132f478764c68b8e42697b6
-
Filesize
1.6MB
MD51e28151dc581862722ad794308a54ef4
SHA1e2f9794c54694471d9f8eb7cda3e9bd24b224547
SHA25637ecb31e9c014759c06810bf99a073357f9abcdec0c154d9267e2203cde0944c
SHA512de7328eaad1c7765354814ecaded433b9956873c771811c9720fd4ac30d3cba767b1f284d0541afbbc3236d25c63ef5aa39957afa1f94a2b742fa4bed2fa3311
-
Filesize
1.5MB
MD50b59834cc2e97dd06fba860fb7acfd0b
SHA16ac61bc8e6fed5ae1d19127ddec31029b9dec395
SHA256251a5ec83134e769fd279e638f0b66f8fa3e946a4194212aab2350d2bee34d6e
SHA5127079237ea68359a54336150a3bf528ddb0cd61f655fdf507c1d0fea87cff6058d6e86965491e0946d41d46cfd9610731428414af110aaefdb2a08f0794980368
-
Filesize
1.4MB
MD5bb6d90c8b36948340ee1b2ce482ad412
SHA163d1201abd4faf62e31d4443b0831193d045607a
SHA2567e6547dd44e00d1fb12103562055b2c25dd9ee84abf72ede3ea4d10555286aae
SHA512d4351c05cd22f9f226aeb739fb6f9036fd8bdbfec378df35caa6183df3282a9fa07db42854021540d7f1b2fc7fe5648a38e66b002c706e2eae321a875bc1dda5
-
Filesize
1.9MB
MD58bd5f5f4e41f8bb9ce3133f863878611
SHA1cfc62ef790b3ec7dc5a51901433dcf41963d828b
SHA256e5d634e565b539a3c4aae9fb3cb165720dbe8a8eb305fff78901fbd46b9d73ab
SHA51296fd00d0f5ef96a4559fd61e79924054194373a65884b64baab3780b9505cc81f3c77690c987dab6aa194e58ca4169681d21a5610c1ce9599c3de0ead50d19de
-
Filesize
1.6MB
MD511b3af857038bff7988bf3ccb8b34fdd
SHA1e05c2ffadadaacf5236e744e75d98e04f814e6fa
SHA256a8dc0054f6d7c46a10025a997d7f06b8832263de81e0194f81f19513623669ce
SHA512aed064f529060c576015542e3a0623954516599652f32188f47b28b0f039e37343dcf134d2c371d4a2a834ebabed0aa288ed9f0d894dc7a4145f817bcbf0a4b5
-
Filesize
2.0MB
MD5f617e8e9d704a2a35bff5b661f33938a
SHA15f277b8e757303e4d5d9f6f18ce20fd2b5624c2e
SHA256155042758662f3c922cb679515d6604b41f925806155685a43c95a45fe293773
SHA512b6948ffa3ddb24758e9d5c2787454153932e21b5803bc6f51dcfef2188543e2134e2e5ae74bed2a44616fa3335526323fdef924dc8b7b4bdc314e524eccdfa65
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6ce18b2daab7ef4fa28980f88387f3bb\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD55a60625416d1332aea9b003850e803dc
SHA1d05fffa3f81355bd7a5079d6c1ec71c53ae61dd1
SHA256625f75d63b0956df9536cfe2e0f689ba3473365445abcc8a9f53589e92c7256f
SHA51263654afa6b106efd3e9072995a9f9126922b34c4aedd840c69b84777f03f2a8f667602636b0b4275fccc8580177867072e49cf91b2797bacf8e67bea8f7a6981
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD51eff63517430e183b5389ba579ed93e2
SHA15891927b05adc6db5464fb02469c113a975ebbf0
SHA256b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856
SHA5122861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ad0f963135defa0279c87feaa3b15890\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD570e52cb77bb4cda1e7941b3e37455d2f
SHA14bf08a9d44de076e1ca8476c6fbeec656734aebf
SHA256dce2a6aebd7454c1e26a9977ac6097eae2aa3f4b9dc8d0bcc384d5b25bda49a2
SHA512edf715fea84e5bc0e6520e1ff7887841062c08ce7db1493f983b5b16df434dc8fa77856d3d61c63e12de426826b0f22aa049cc4580094cbba8ec6ee1803e3191
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c34dcb914d9d2d91de40c3acaaa170de\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD58c646d501e7d398d912a8efeecc8ce7b
SHA154f032de3748147e6123720b508f9f014fdb991e
SHA256342dabfef3126107e7ec4572b6da6f319caa5a54560380aeea0a63a3daea7431
SHA512b190467e1402d1e8d6bb9775985adc3facbf15dbbd675d422ae18ed3e206203a25ba5a0952e7d3df577f73c7e020a82833329db662b1085c37ef25157e2960f5
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
2.0MB
MD52228dfb83427a48f060b03513112c731
SHA19683ec39241768eeac310c0fd8f803622a658b86
SHA256209662eea68db0bd4b73f2e192fce265d2fac972327bf80e039dc1b5f78d7b18
SHA5121e00fbd24656e584bfbd8f84b8aa31b96bdd69ab05d61030a27750c712c051d354fabdcb9453fa7823bc8c083cc2966c90cbea903678550848f8acb107a35b0b
-
Filesize
1.5MB
MD5280838ebb9425396d4f7e23a728a6218
SHA15e601da8533632f5d01d12fe99ad03435c425d22
SHA2560ef6f8ae1a4e155a42faa9922d26c40b72c8eed7439738dd6ceecad8aca82291
SHA512a61617a183347c1325b5d12cfc50e059c9a376183c67503707946ec2976a5c7283b536d7a0fdfb115db1278169f17177062d7382501d549b0af37d9d25287229
-
Filesize
1.5MB
MD5e51a696288cc0563efe37b76d30c00a1
SHA19b2f66ff19ab5a9b78b80491ae77bad694e3f3e2
SHA256f0aba646ae8b55b16fe96f4f342d53085c1a3e8a36ac9a2f310b83519d9ed108
SHA512057b6d01729585ca683b5df5513f5752c680a2c5cad7a9c590cd3623e31aa789f3c4543a0c1b186a2d6ee611c17e646a160e82d05caec5a1dc400086a5848abc
-
Filesize
1.5MB
MD56d04bacbfdca6b4e97b91fa85710b13a
SHA123aab62f523d54e9bea90624c2ac6a828bfbf1d6
SHA2569532bd6e7761651afc481cae9e26a34bf2a727dde65d7384c66cf3caf295db4f
SHA512a3983c2535cf91aead1182058a5eab86b27ef186d53f8c8ac970602d73d5971b0ce04ffbe99c5b4a815d212fb4ffa7fd4c9447fdc27de869245ffda014021885
-
Filesize
1.2MB
MD523ef9f22068a4ac8373867105cb5ec40
SHA1baa82f69543bbf2f67db6a551235e81fffeb5d7c
SHA25693931232f1fb473f692442c03a65da9c5f1960ae0342c005d3306746df440ec8
SHA5128af4517fea29911edba261f13f26ba753b9ba95f81b6c489b6396f203a5d5b4613a07d7e6e8ee695a1ef1d870d0978587858cacdbcce3f2d02331be3b17ff5cb
-
Filesize
1.6MB
MD5b91879da3a540bd75b5bdf63dcba4fb0
SHA1bfa675f6c2e11e5a025ddee205959d0be5e9d146
SHA2563f9956463675bb670991854060c229a633bb7e386cc8d6ef8ddc5605a42a8b13
SHA512455a74b41434ae6028687afbe27caf586eb9025422b1e206cbcbd1ea64d9ee8c90637dca5acd058fd22b03b7039424ee1a1a7dfc16d6eba61770f7089cea7566