Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe
Resource
win7-20241010-en
General
-
Target
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe
-
Size
1.5MB
-
MD5
059d36688fa358320ccc649a57cc3630
-
SHA1
2f00d0f2bfac22d78c4139fb2050a13ec6f92320
-
SHA256
fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aa
-
SHA512
51dea25579fbc5f2790a820a493aecfb20aa37de6f1c86f049bdde85c856c7e8d607ba99325882664c2db4bf6b7fba4601b8cbd3d56e70f1d38b1e05468e4779
-
SSDEEP
12288:D8G9hvvnGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:DTvmt/sBlDqgZQd6XKtiMJYiPU
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 2764 alg.exe 2768 aspnet_state.exe 1740 mscorsvw.exe 820 mscorsvw.exe 1680 mscorsvw.exe 1572 mscorsvw.exe 2888 ehRecvr.exe 1776 ehsched.exe 2520 elevation_service.exe 1544 IEEtwCollector.exe 1376 maintenanceservice.exe 2312 OSE.EXE 2304 mscorsvw.exe 2960 mscorsvw.exe 1740 mscorsvw.exe 1992 mscorsvw.exe 2484 mscorsvw.exe 2320 mscorsvw.exe 1488 mscorsvw.exe 2620 mscorsvw.exe 1696 mscorsvw.exe 3064 mscorsvw.exe 2952 mscorsvw.exe 2268 mscorsvw.exe 2376 mscorsvw.exe 928 mscorsvw.exe 1772 mscorsvw.exe 3004 mscorsvw.exe 2180 mscorsvw.exe 2620 mscorsvw.exe 2868 mscorsvw.exe 1480 mscorsvw.exe 2348 mscorsvw.exe 1744 mscorsvw.exe 2556 mscorsvw.exe 1832 mscorsvw.exe 2784 mscorsvw.exe 952 mscorsvw.exe 2492 mscorsvw.exe 736 mscorsvw.exe 2484 mscorsvw.exe 2408 mscorsvw.exe 2152 mscorsvw.exe 1524 mscorsvw.exe 904 mscorsvw.exe 2636 mscorsvw.exe 1716 mscorsvw.exe 2624 mscorsvw.exe 672 mscorsvw.exe 1672 mscorsvw.exe 2980 mscorsvw.exe 1800 mscorsvw.exe 1028 mscorsvw.exe 1732 mscorsvw.exe 2184 mscorsvw.exe 2616 mscorsvw.exe 632 mscorsvw.exe 904 mscorsvw.exe 2636 mscorsvw.exe 2700 mscorsvw.exe 2624 mscorsvw.exe 872 mscorsvw.exe 2992 mscorsvw.exe -
Loads dropped DLL 37 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 2408 mscorsvw.exe 2408 mscorsvw.exe 1524 mscorsvw.exe 1524 mscorsvw.exe 2636 mscorsvw.exe 2636 mscorsvw.exe 2624 mscorsvw.exe 2624 mscorsvw.exe 1672 mscorsvw.exe 1672 mscorsvw.exe 1800 mscorsvw.exe 1800 mscorsvw.exe 1732 mscorsvw.exe 1732 mscorsvw.exe 2616 mscorsvw.exe 2616 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 2700 mscorsvw.exe 2700 mscorsvw.exe 872 mscorsvw.exe 872 mscorsvw.exe 1676 mscorsvw.exe 1676 mscorsvw.exe 1596 mscorsvw.exe 1596 mscorsvw.exe 1524 mscorsvw.exe 1524 mscorsvw.exe 1120 mscorsvw.exe 1120 mscorsvw.exe 264 mscorsvw.exe 264 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\62b62d695f6c6349.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\fxssvc.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC8A.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE456.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF96C.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC59.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF1FD.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP648.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEA8E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP34B.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE198.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 62 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 872 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2740 fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: 33 1924 EhTray.exe Token: SeIncBasePriorityPrivilege 1924 EhTray.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeDebugPrivilege 872 ehRec.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: 33 1924 EhTray.exe Token: SeIncBasePriorityPrivilege 1924 EhTray.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeDebugPrivilege 2764 alg.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeDebugPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe Token: SeShutdownPrivilege 1680 mscorsvw.exe Token: SeShutdownPrivilege 1572 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1924 EhTray.exe 1924 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1924 EhTray.exe 1924 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2304 1680 mscorsvw.exe 44 PID 1680 wrote to memory of 2304 1680 mscorsvw.exe 44 PID 1680 wrote to memory of 2304 1680 mscorsvw.exe 44 PID 1680 wrote to memory of 2304 1680 mscorsvw.exe 44 PID 1680 wrote to memory of 2960 1680 mscorsvw.exe 45 PID 1680 wrote to memory of 2960 1680 mscorsvw.exe 45 PID 1680 wrote to memory of 2960 1680 mscorsvw.exe 45 PID 1680 wrote to memory of 2960 1680 mscorsvw.exe 45 PID 1680 wrote to memory of 1740 1680 mscorsvw.exe 46 PID 1680 wrote to memory of 1740 1680 mscorsvw.exe 46 PID 1680 wrote to memory of 1740 1680 mscorsvw.exe 46 PID 1680 wrote to memory of 1740 1680 mscorsvw.exe 46 PID 1680 wrote to memory of 1992 1680 mscorsvw.exe 47 PID 1680 wrote to memory of 1992 1680 mscorsvw.exe 47 PID 1680 wrote to memory of 1992 1680 mscorsvw.exe 47 PID 1680 wrote to memory of 1992 1680 mscorsvw.exe 47 PID 1680 wrote to memory of 2484 1680 mscorsvw.exe 48 PID 1680 wrote to memory of 2484 1680 mscorsvw.exe 48 PID 1680 wrote to memory of 2484 1680 mscorsvw.exe 48 PID 1680 wrote to memory of 2484 1680 mscorsvw.exe 48 PID 1680 wrote to memory of 2320 1680 mscorsvw.exe 49 PID 1680 wrote to memory of 2320 1680 mscorsvw.exe 49 PID 1680 wrote to memory of 2320 1680 mscorsvw.exe 49 PID 1680 wrote to memory of 2320 1680 mscorsvw.exe 49 PID 1680 wrote to memory of 1488 1680 mscorsvw.exe 50 PID 1680 wrote to memory of 1488 1680 mscorsvw.exe 50 PID 1680 wrote to memory of 1488 1680 mscorsvw.exe 50 PID 1680 wrote to memory of 1488 1680 mscorsvw.exe 50 PID 1680 wrote to memory of 2620 1680 mscorsvw.exe 61 PID 1680 wrote to memory of 2620 1680 mscorsvw.exe 61 PID 1680 wrote to memory of 2620 1680 mscorsvw.exe 61 PID 1680 wrote to memory of 2620 1680 mscorsvw.exe 61 PID 1680 wrote to memory of 1696 1680 mscorsvw.exe 52 PID 1680 wrote to memory of 1696 1680 mscorsvw.exe 52 PID 1680 wrote to memory of 1696 1680 mscorsvw.exe 52 PID 1680 wrote to memory of 1696 1680 mscorsvw.exe 52 PID 1680 wrote to memory of 3064 1680 mscorsvw.exe 53 PID 1680 wrote to memory of 3064 1680 mscorsvw.exe 53 PID 1680 wrote to memory of 3064 1680 mscorsvw.exe 53 PID 1680 wrote to memory of 3064 1680 mscorsvw.exe 53 PID 1680 wrote to memory of 2952 1680 mscorsvw.exe 54 PID 1680 wrote to memory of 2952 1680 mscorsvw.exe 54 PID 1680 wrote to memory of 2952 1680 mscorsvw.exe 54 PID 1680 wrote to memory of 2952 1680 mscorsvw.exe 54 PID 1680 wrote to memory of 2268 1680 mscorsvw.exe 55 PID 1680 wrote to memory of 2268 1680 mscorsvw.exe 55 PID 1680 wrote to memory of 2268 1680 mscorsvw.exe 55 PID 1680 wrote to memory of 2268 1680 mscorsvw.exe 55 PID 1680 wrote to memory of 2376 1680 mscorsvw.exe 56 PID 1680 wrote to memory of 2376 1680 mscorsvw.exe 56 PID 1680 wrote to memory of 2376 1680 mscorsvw.exe 56 PID 1680 wrote to memory of 2376 1680 mscorsvw.exe 56 PID 1680 wrote to memory of 928 1680 mscorsvw.exe 57 PID 1680 wrote to memory of 928 1680 mscorsvw.exe 57 PID 1680 wrote to memory of 928 1680 mscorsvw.exe 57 PID 1680 wrote to memory of 928 1680 mscorsvw.exe 57 PID 1680 wrote to memory of 1772 1680 mscorsvw.exe 58 PID 1680 wrote to memory of 1772 1680 mscorsvw.exe 58 PID 1680 wrote to memory of 1772 1680 mscorsvw.exe 58 PID 1680 wrote to memory of 1772 1680 mscorsvw.exe 58 PID 1680 wrote to memory of 3004 1680 mscorsvw.exe 59 PID 1680 wrote to memory of 3004 1680 mscorsvw.exe 59 PID 1680 wrote to memory of 3004 1680 mscorsvw.exe 59 PID 1680 wrote to memory of 3004 1680 mscorsvw.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe"C:\Users\Admin\AppData\Local\Temp\fbd75dc17850e5abdfd66b409321d91645a1f2437e4ea845c55fa5dbdff305aaN.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2768
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1740
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:820
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 23c -NGENProcess 264 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 23c -NGENProcess 1f8 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1f8 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 250 -NGENProcess 1e0 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 274 -NGENProcess 240 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 23c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 258 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 274 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1e0 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 1e0 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 27c -NGENProcess 290 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 27c -NGENProcess 1f8 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 23c -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 298 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 2a0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 294 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1d8 -NGENProcess 27c -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 27c -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2d8 -NGENProcess 2a4 -Pipe 210 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 27c -NGENProcess 2a4 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2e4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2dc -NGENProcess 2d8 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2ec -NGENProcess 2a4 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2a4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2fc -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d0 -NGENProcess 304 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 304 -NGENProcess 314 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 30c -Pipe 318 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 304 -NGENProcess 320 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f4 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 328 -NGENProcess 324 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 334 -NGENProcess 320 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 320 -NGENProcess 2f4 -Pipe 330 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 33c -NGENProcess 324 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 324 -NGENProcess 334 -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 344 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2f4 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 34c -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 334 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 354 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 33c -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2888
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1776
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1924
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2520
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1544
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1376
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5f401914b9e8e2a6f5c359dca8170b26d
SHA17f46ab3eb18ff9d19a2d2ad8a7dd53e6358769c2
SHA256821c923bdea016e721170616a5e3c7e5cbbb463491f1c12ecc94a965bdd8b27d
SHA512095b0b301e195485a60a8736a0b0eeb61c633a1c4ffe6fde132964595e1a3c74d26a0e96fa7cb6cc45f4cab5271e0fead8a21d418bbd2c96746dea92459e89dc
-
Filesize
1.6MB
MD53c2a4d09f73a8c0d7a508024db2ec6b8
SHA1822b927bd0893bf193bd5f7e4713bdea6bdc60fd
SHA2568306f4352afa426ac2b07eaa8529bc4bef99229b485b397f7778e036c2a2951e
SHA512cbec83e3bc95eb5b7f005fe8e886333cec0b2a188aa35201c50a262361dae445df3b7aa0b5ac2cf7f6181af084845ab789749f0f5d85a5cf7df30324c86ff4f3
-
Filesize
1.3MB
MD51ac1d50f41debee4020651d77c4e90e0
SHA1da6972e758c0e8a4182b4efc3d0ac06fe3c01255
SHA256165fae0ffe7d4978b6167d0e00b555b81e5f8824fde244a7bc2eda2ef7bba772
SHA5128231b2539484fbfcfee6b96427ad5eb4a6b4ba6b6cccad45b716533fc6136f03a9ecf66d0186d3132416a70753c8af72b7954dfff84da463cdb75f862a7acdea
-
Filesize
1.9MB
MD54eaeccc7fee1276a2329b0c51549941b
SHA188963eedd77c19a0357eddacb391e191d8d16915
SHA256f64afef7d807700105c058be75d958997c58d37464bdcfd68ebe1d4b61614f78
SHA512f3adb54b19076601f2c9410cf314b68cea8e6aaf6e38525395f541fc3f49fd8f671321adaf3266f2f87eeab1015d545a5c89098b831438ff70236610a24582ce
-
Filesize
1.6MB
MD573d3bb7bd3ba5dba304da96d0338c70e
SHA193efe08310b89d014625fc1e7cb8adcbd93f3795
SHA25666c9df74ea454824385375a9c2397df43de9fa475560fefe1b91baaae0ef8943
SHA51287529d9c2ea3b2eeac43e778941f24a2a0b6ce891b32829bcac8dda9cc27c416c4b191bec69359377a95514c6fa433bfbf48a9b5ad8b12a03133836e871a44ad
-
Filesize
30.1MB
MD531fa90033f60337203efe60cec0bf512
SHA1ea5632150621ee48e526ead97ad80fe55033646f
SHA256f688ec57b619b311a0760c4f3da400c1b2715805ffb516b31129dd2f9d9fa5c8
SHA512a142254009c10c56ef1cd45fb4ecf69a8197f2d872f53dbf87e6b688c7c337622210e3aa1f67b7fb9a8584bc4581e4fe3b94becfd2abf40821814e4b78818458
-
Filesize
1.6MB
MD53e2e3227ec8c893dd045cd002384504f
SHA160694157e6e92b7fbf19cd07b7ee05c3dce885c4
SHA256012d9074cb9992f0dc6c51a598002e8f7f6f35563482c9e0cc3b97cf65a5109c
SHA5125becf41d877846c64efe0528d1ff7a2da07e708f975abe122979dc3b65bf07c62580323fdc4c83f96a914cb93503611db70a4a1b1c46af36cee7dd142d27905b
-
Filesize
2.0MB
MD50de6dd94557bd059ea4d503084d98fbc
SHA1223591b9f6de59b3f7fdd95a6199683028ab087c
SHA256d56ac8332826e37e5e9fac49517f8672ae06d3b7f151b45d9bf77a806eef57d1
SHA51298b4f086ef58cc34fa71d46f7477db6b4545b8d1a9740c4debd94c70f32d3fa3214411fda244209c09d9055623833cc8ea640cdcac6ec0a4fa64aef6c1c5d602
-
Filesize
1.5MB
MD5e2395bbe0e26d1e60e7ad19586f0caaa
SHA1347cab197437a94bc1f90c2ea4d63d31fb6fc5cd
SHA25630061afe913529f43252af5f73c3c28d50c2bf41bb3cfe6e575b106ab738a7bf
SHA5122bc52cad15653b36135df5cb38970f83262bccfb481c4153aef9f2afcf2a891158d3005b11d034f4a3dad094eebdbc74284108d423b128c7e16827d9ae3fd671
-
Filesize
1.2MB
MD585a48d3d423e164b798a6ed4cc9c0334
SHA1db36cd2b585d8421c5ebb0600d1e97f1e8ac20a0
SHA2567a97f570609cc20c4a9064d9f79b90c26302fc271f2523cdb0db77de31eeb8f8
SHA512e654bd3bc8112189ceb98ecc24642ded578618d5258fa886faf5145712036a0335331a3a003f80675ac1efe6bbe256b03b9266bdb12b91fd9be7f85baf8525a1
-
Filesize
1.4MB
MD54de18018556467a43a82101161bbb388
SHA16c13d6019d069cde1ab86930f7ae54eed4814bef
SHA256ddc5a92c7e779b98ad1fd8af86c6db30169d68e404608f4dc781a9dbefd02449
SHA512583d284086ce74c74695de4420d97b2862fe1981f31154e764b36b5e08c3d994229347e4713c4ec4685b313ebb90604c6b0cad24bbde4eb2abad956deaf76af9
-
Filesize
4.8MB
MD50864111fd99de9aa4baf991055e2e519
SHA1a06b1550aacd25c15fd2a3ad1f17e803db26cbca
SHA256f62795fb8efa355fa48f12a73aa591fa95b0c06662980ee99fa592612900e24c
SHA51238f3ca3c8f093c95bff47507ad76eddfb12af4cfda020eb2fba87f63b6bfe790ebfeb9789c5ebf70853a56043daa6cba8c8681fdae3330e858240489bd105f67
-
Filesize
4.8MB
MD53def130f626d348d16be2c87b9dc855e
SHA1076eef23f298b999e17da4f60b8efb942ed5e691
SHA256712fdd98747962bdeb40f5f0e4c7b43613b056b6e40aeeed68a4b0d36e90595c
SHA512b9ca3313023e928a0dad94ea5a694fbefc0c069cbcbdfc8eef59d2cc2be2583c9ba646a477b1f4942bce4b05037b89e7ccdc082b51d85e9693c6ed0efe07bf57
-
Filesize
2.2MB
MD5046b6d3c03c5505d5d68b9a9cc08173f
SHA1c1fb4fcdde94b4a47e1da7a42452d95347bce33e
SHA2560f34341cfbb6e93ae87af528e34c4528b07dbe59f9bb7a2aa4a4363532d7c2b3
SHA5127760f6717a2c84c8c424205a1727dd2978b6316bf217b8dfa911196648da94d73420f7ab715b4c5e0845caa0bae644a42fbcc3ff9d19ee5e0d18f6f04b9192f3
-
Filesize
2.1MB
MD5195fe9aa82fe8cd68a3fa70f067fbcf4
SHA1ee2e7dbf260332e68a61d3c8fd0a4f0aa6475eca
SHA25634b55a6ce51e731b5936de9aae3f8d792169b70a1039ad09c3b7fb05ab4b08fe
SHA51265c72ceed7ed5625bf5b32ba37c10e87bed844f7f12984e2a6e0f0abd8bd6d122abb2b9bee9e98c7e3628c571ad4ff578ddc7e1fb67b46b8f825407eddebbc9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5de0f96f561a85f9673db2542cc7ca557
SHA14d5755f52fd41e028706c091614da542fde894c3
SHA25632379d80075c8df7a039f994b8f2d241f6703c8858b49f0aa45c54ec88be7831
SHA5129bd0a2dce9e6e24ebe781b2e6ddc7d885a428955be8b7750792b1ce03e731c909345f3381ff0df0d21c456625d48e92161e996a32d55b11e930c9b8cf1ab4af1
-
Filesize
1.5MB
MD58e575b280ce1af7e06d50f16ce160d0e
SHA1b4671df17e75c4e54ba212a0b1ab5135563ca507
SHA25638b037d2000b120f99878fe0c7d0073992f21175959a8621bf551fef47cefef2
SHA512cb236c62d768f3b25d8afd384e7dab0db90a46b2a99da270f413fc8b4b49aa5ac33822a4c3a5f1868e42c87f411dc7237e1ffbbc5e52e26ecd5315e8bcd57868
-
Filesize
1.5MB
MD51e6f57c210046e2d15a01d49e1a7f4ea
SHA133a154f82571a170983fb5823ba7eca0fc1c7e82
SHA2561a89391c19d663669c2bc5209ba9745459e36a92528ae8574d380c189712a713
SHA512c14ae51983c18d073ff8f356705b2c2c8482a872680418409efe32ef462d03a37969c6a25c5b4e6671086e8ef366791e073e4da409634ea94095506a9ec2325d
-
Filesize
1003KB
MD51eec3a0b9e19b91f8e35669572547546
SHA153eea895127be162e46af675e5a566e2709035ad
SHA256b2e388483d2af050efe4fe86083220063e0904077f896ebe1da9cfae7b723144
SHA512c0cb30f37c2fbaab7d2b44800a28cfa1c78753412b54ccc0317b91c7381090e48169d106ca9351d615995813d5306676613e0010455c704b86fa8babfbd11be7
-
Filesize
1.5MB
MD5fc30a84033ec925271ab354904fe15c8
SHA1dd1a35777298850f9b5d2ab923806715f5260b47
SHA25682f2d3a49b983815e0b959db38beb64422128216b7b2c2cf02598d36fbc747a4
SHA5126c5fea18ab0f82b8c9281b4a08a75612b8e0d19c3a4c7ed7e2cc0ce9cc6d6b47fc3a7dab16b0e7f4edd2c7f88b5b6c5cb442881ac06ba7236c34a2b569b51049
-
Filesize
8KB
MD5f99d36e430229fa34d0cd106f00ff9a6
SHA1b2b70e60ef73c5ebcd6fc78fbb06e6c620e80a81
SHA2568a39bf86a6715349139c0d1d0f349dbad7011f15fcf9207c064f118e2a4a6ebd
SHA512def4ea7962b49abcbc0f52e68aa13a40c0a9b91b9303c4d0b739a17996b515dc5e8231eb118422a8ba47207115111fe71c8b4cfd3725a9409fd80dd9d5d3f809
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9419a3640bc85a8d57ac5ecd0caf2feb\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD53bb918532b17f209b7143b833b8fc127
SHA101edb0209c2d517bcc84052c1f0a03440a7feb49
SHA2569874f27354d5e43f7ccedf5eb33d5792e98c4f7856ef38a8faad1baec0165cd3
SHA5122302aa19957ae2ce2d40a9cf720b90295a84bc66deae938da03442d3807f4aa40cf9c019bfb52a48ef5d0ee7dda2d95dcd36b2a68284b324f2fa162e701fec18
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\be84308c4c0046659a9c19981cefd1fd\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5df96fe9001366045f2d4616b56d5aee7
SHA11209977b1b92204b85984998f31d6ac5c2cf8963
SHA256339d8613600c13496f3b96300741992f46dba21035c2c3364eab5acf68c48bd0
SHA51233b660e59ef8a18fd699b3a9d629922058c0651c377ac29d3923c0d9f27b439863b83de2a00408dafed3c6a4ba85fb46ee8c51eefbf5c8c352695b15c29a4e54
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fe14aaba65f41b6628fcfb4b7acf9f2f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5b3e7a063bb248a6c4d214c67f766fc74
SHA1a04c5600a8717e39f25189a1fbd4f1bbe0adb82a
SHA2566eede9778c5b846b02246d3e2a45818b1d3a7865d2a15cb64e82540fa8875864
SHA5121606b0a549359c1437ba2d5d7b21ab5777c79e53f40e237cf587db834bbf2740a301c619e5e31f7e0714e93f9860ebbc21cd2ef1c158b10d1058623f6709386f
-
Filesize
1.2MB
MD53500a6e75b2c79ca4ece46b89ec336f7
SHA174dd869e8cc85c0b2b9d161027cc6cf7a10fa74a
SHA2569b9994dab1fda32c82a171a98063ce880ad791afa712cb5b6fc3a5e1515ecf17
SHA512391b6affaa3d8bc003e0c3361bc4892bc557ea6fd5398af5fe5bdec24a23c00cfce822fefe05f52d4e98233460a7723e6fd5ca5f8ff602c49b5b9001127c3d40
-
Filesize
1.5MB
MD5273fc7f8d0cac2371ba45848e4b0e92f
SHA1b78c236e2e222738ef89459a53a40c61dd3fa9db
SHA256d80c101f2304bcaed3461ba564c13eaf27206339c658494349c69f341316e5b7
SHA512ad86ffa87d7f3eda679eb496c706f59d74a9cdbc8292706c08f6c4c8ea935b84776f55c319abb2f29486c3c55478b753858566c4e57e44b8e3f13560d589fc9e
-
Filesize
1.5MB
MD5750cad2282e838762841515535ad4148
SHA1f1022d5e31cb1e11c8ffc0ccf5183491a1d0f83a
SHA2563ae580543f5d314e7c0e44d23b19bfb0122c7f5a5ae307a7fb7c3968a0804150
SHA512dc6cc399d0a75841e270c7633d97100a9682514e76b0ef62006a8498c20942adf89e473ce35fcd6de35bc418794d91ef4420e7104c203fa133e68b29e746b908
-
Filesize
1.5MB
MD57b7437949359b64786a41216a0d0e31b
SHA12546580df743a4863239db9d475cafcab1ca1a64
SHA2561697d85046aa70987dad1dd4d7a9567f463e5d51c25439d74eea8da6437c7f97
SHA512950a7fd37733c190b33ba89e9680085083080fef634997d152cbd6263718c9d86513efc1fcb0125bc664777dfd00f6c1e0d54917c844e7d02be0031b5181acbe
-
Filesize
1.5MB
MD57409d92f6ee259097412656ec28119de
SHA1154c71a52dfe30a4adb53e435fcc0fbcd9421cc8
SHA2567911d200032f65eac8f50239f1b78153c6f148733ca1528571c97926a999e09d
SHA512a2f23624758a95b92467c88614568186e397aab1c0f0f1e86562445c2c1c43a8ee72ac350484ed202dff62c4a00f7af409a3efb80c32ac0fda5fa53ad44ab17b
-
Filesize
1.2MB
MD586cf6330610cb575a647e58b6eb532ad
SHA1f11157f72c969f3df2e643054e2c83f4764821be
SHA2566b36597208f3165f42aa59ab7b7c1b3cfe37bcf43565f06054442cdcd04b6ade
SHA512ffd84c69c30875b2ea81119ca3ee98f9beac95345395718d68a210cd0d28fb830534c00da857ae80376023a3e6ffafb25e112bd377a2c521e10a4d69103bb287
-
Filesize
1.6MB
MD56f84163174432b18798731310ebc3d91
SHA1ae6ae4be120b74e59393b8e55b182d6d79d4be9f
SHA256fe4b02e8b2638d7276d189cc6b38b3f7e4bead3d24fda6f51f7bf42ec786c203
SHA512fd8bae52b152752c5cd5cdeea97ad867471b5e8c599e0aa38696d7621ccfb41a2194c9097764abda23274debab68783a2798e31dad90eede7176d765ba6c55b8