Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe
Resource
win7-20240903-en
General
-
Target
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe
-
Size
1.6MB
-
MD5
b976fda026ee3bc24fd7f2be7e1ce100
-
SHA1
caa0e9e711ab20c84599c464ef67c7407b8572da
-
SHA256
fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7c
-
SHA512
d872a40955249c81d9135deb74b2a78a965d83db54d92a518ac3ec4ca47ab461c81218ac69bd2a9f4006b2e3bd0aea7c0a693669ab74178666f11e1d6996497a
-
SSDEEP
12288:16jzSM5PqFohpSS8IVYLdWQTs9qFjQYunVrGbqAs:16SM5HhpyYYLdWQQ98qVrs1
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 476 Process not Found 2540 alg.exe 2888 aspnet_state.exe 2804 mscorsvw.exe 2776 mscorsvw.exe 2616 mscorsvw.exe 2408 mscorsvw.exe 1680 ehRecvr.exe 1252 ehsched.exe 2928 elevation_service.exe 1008 IEEtwCollector.exe 848 GROOVE.EXE 2240 maintenanceservice.exe 880 msdtc.exe 2152 msiexec.exe 1628 OSE.EXE 592 perfhost.exe 2524 locator.exe 1584 snmptrap.exe 2848 mscorsvw.exe 2660 vds.exe 1636 mscorsvw.exe 2000 vssvc.exe 1872 mscorsvw.exe 1956 wbengine.exe 1500 WmiApSrv.exe 968 wmpnetwk.exe 1132 mscorsvw.exe 2104 mscorsvw.exe 1348 SearchIndexer.exe 2480 mscorsvw.exe 2712 mscorsvw.exe 2984 mscorsvw.exe 3064 mscorsvw.exe 2004 mscorsvw.exe 2240 mscorsvw.exe 2692 mscorsvw.exe 1968 mscorsvw.exe 1740 mscorsvw.exe 556 mscorsvw.exe 2904 mscorsvw.exe 1916 mscorsvw.exe 980 mscorsvw.exe 2008 mscorsvw.exe 1808 mscorsvw.exe 1132 mscorsvw.exe 2652 mscorsvw.exe 3004 mscorsvw.exe 2580 mscorsvw.exe 2624 mscorsvw.exe 1964 mscorsvw.exe 872 mscorsvw.exe 2876 mscorsvw.exe 1708 mscorsvw.exe 2092 mscorsvw.exe 3020 mscorsvw.exe 2340 mscorsvw.exe 2216 mscorsvw.exe 2932 mscorsvw.exe 2124 mscorsvw.exe 2880 mscorsvw.exe 2736 mscorsvw.exe 1752 mscorsvw.exe 1192 mscorsvw.exe -
Loads dropped DLL 62 IoCs
pid Process 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 2152 msiexec.exe 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 476 Process not Found 756 Process not Found 2092 mscorsvw.exe 2092 mscorsvw.exe 2340 mscorsvw.exe 2340 mscorsvw.exe 2932 mscorsvw.exe 2932 mscorsvw.exe 2880 mscorsvw.exe 2880 mscorsvw.exe 1752 mscorsvw.exe 1752 mscorsvw.exe 1444 mscorsvw.exe 1444 mscorsvw.exe 1980 mscorsvw.exe 1980 mscorsvw.exe 548 mscorsvw.exe 548 mscorsvw.exe 2436 mscorsvw.exe 2436 mscorsvw.exe 300 mscorsvw.exe 300 mscorsvw.exe 1304 mscorsvw.exe 1304 mscorsvw.exe 1672 mscorsvw.exe 1672 mscorsvw.exe 2924 mscorsvw.exe 2924 mscorsvw.exe 1792 mscorsvw.exe 1792 mscorsvw.exe 2300 mscorsvw.exe 2300 mscorsvw.exe 2216 mscorsvw.exe 2216 mscorsvw.exe 1996 mscorsvw.exe 1996 mscorsvw.exe 1444 mscorsvw.exe 1444 mscorsvw.exe 2652 mscorsvw.exe 2652 mscorsvw.exe 1752 mscorsvw.exe 1752 mscorsvw.exe 952 mscorsvw.exe 952 mscorsvw.exe 2684 mscorsvw.exe 2684 mscorsvw.exe 692 mscorsvw.exe 692 mscorsvw.exe 1000 mscorsvw.exe 1000 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\vds.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\vssvc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\wbengine.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\snmptrap.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\locator.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fd33256e85fff97f.bin aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\System32\msdtc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\msiexec.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\dllhost.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6374.tmp\Microsoft.Office.Tools.Excel.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E70.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3514.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3CD2.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d046293d2d32db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2236 ehRec.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 2888 aspnet_state.exe 2888 aspnet_state.exe 2888 aspnet_state.exe 2888 aspnet_state.exe 2888 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: 33 2932 EhTray.exe Token: SeIncBasePriorityPrivilege 2932 EhTray.exe Token: SeDebugPrivilege 2236 ehRec.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeRestorePrivilege 2152 msiexec.exe Token: SeTakeOwnershipPrivilege 2152 msiexec.exe Token: SeSecurityPrivilege 2152 msiexec.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: 33 2932 EhTray.exe Token: SeIncBasePriorityPrivilege 2932 EhTray.exe Token: SeBackupPrivilege 2000 vssvc.exe Token: SeRestorePrivilege 2000 vssvc.exe Token: SeAuditPrivilege 2000 vssvc.exe Token: SeBackupPrivilege 1956 wbengine.exe Token: SeRestorePrivilege 1956 wbengine.exe Token: SeSecurityPrivilege 1956 wbengine.exe Token: 33 968 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 968 wmpnetwk.exe Token: SeManageVolumePrivilege 1348 SearchIndexer.exe Token: 33 1348 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1348 SearchIndexer.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeDebugPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeDebugPrivilege 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeDebugPrivilege 2888 aspnet_state.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe Token: SeShutdownPrivilege 2616 mscorsvw.exe Token: SeShutdownPrivilege 2408 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2932 EhTray.exe 2932 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2932 EhTray.exe 2932 EhTray.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2148 fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe 584 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2848 2616 mscorsvw.exe 51 PID 2616 wrote to memory of 2848 2616 mscorsvw.exe 51 PID 2616 wrote to memory of 2848 2616 mscorsvw.exe 51 PID 2616 wrote to memory of 2848 2616 mscorsvw.exe 51 PID 2616 wrote to memory of 1636 2616 mscorsvw.exe 53 PID 2616 wrote to memory of 1636 2616 mscorsvw.exe 53 PID 2616 wrote to memory of 1636 2616 mscorsvw.exe 53 PID 2616 wrote to memory of 1636 2616 mscorsvw.exe 53 PID 2616 wrote to memory of 1872 2616 mscorsvw.exe 55 PID 2616 wrote to memory of 1872 2616 mscorsvw.exe 55 PID 2616 wrote to memory of 1872 2616 mscorsvw.exe 55 PID 2616 wrote to memory of 1872 2616 mscorsvw.exe 55 PID 2616 wrote to memory of 1132 2616 mscorsvw.exe 79 PID 2616 wrote to memory of 1132 2616 mscorsvw.exe 79 PID 2616 wrote to memory of 1132 2616 mscorsvw.exe 79 PID 2616 wrote to memory of 1132 2616 mscorsvw.exe 79 PID 2616 wrote to memory of 2104 2616 mscorsvw.exe 60 PID 2616 wrote to memory of 2104 2616 mscorsvw.exe 60 PID 2616 wrote to memory of 2104 2616 mscorsvw.exe 60 PID 2616 wrote to memory of 2104 2616 mscorsvw.exe 60 PID 2616 wrote to memory of 2480 2616 mscorsvw.exe 62 PID 2616 wrote to memory of 2480 2616 mscorsvw.exe 62 PID 2616 wrote to memory of 2480 2616 mscorsvw.exe 62 PID 2616 wrote to memory of 2480 2616 mscorsvw.exe 62 PID 2616 wrote to memory of 2712 2616 mscorsvw.exe 63 PID 2616 wrote to memory of 2712 2616 mscorsvw.exe 63 PID 2616 wrote to memory of 2712 2616 mscorsvw.exe 63 PID 2616 wrote to memory of 2712 2616 mscorsvw.exe 63 PID 2616 wrote to memory of 2984 2616 mscorsvw.exe 64 PID 2616 wrote to memory of 2984 2616 mscorsvw.exe 64 PID 2616 wrote to memory of 2984 2616 mscorsvw.exe 64 PID 2616 wrote to memory of 2984 2616 mscorsvw.exe 64 PID 2616 wrote to memory of 3064 2616 mscorsvw.exe 65 PID 2616 wrote to memory of 3064 2616 mscorsvw.exe 65 PID 2616 wrote to memory of 3064 2616 mscorsvw.exe 65 PID 2616 wrote to memory of 3064 2616 mscorsvw.exe 65 PID 2616 wrote to memory of 2004 2616 mscorsvw.exe 67 PID 2616 wrote to memory of 2004 2616 mscorsvw.exe 67 PID 2616 wrote to memory of 2004 2616 mscorsvw.exe 67 PID 2616 wrote to memory of 2004 2616 mscorsvw.exe 67 PID 1348 wrote to memory of 584 1348 SearchIndexer.exe 66 PID 1348 wrote to memory of 584 1348 SearchIndexer.exe 66 PID 1348 wrote to memory of 584 1348 SearchIndexer.exe 66 PID 1348 wrote to memory of 1648 1348 SearchIndexer.exe 68 PID 1348 wrote to memory of 1648 1348 SearchIndexer.exe 68 PID 1348 wrote to memory of 1648 1348 SearchIndexer.exe 68 PID 2616 wrote to memory of 2240 2616 mscorsvw.exe 69 PID 2616 wrote to memory of 2240 2616 mscorsvw.exe 69 PID 2616 wrote to memory of 2240 2616 mscorsvw.exe 69 PID 2616 wrote to memory of 2240 2616 mscorsvw.exe 69 PID 2616 wrote to memory of 2692 2616 mscorsvw.exe 70 PID 2616 wrote to memory of 2692 2616 mscorsvw.exe 70 PID 2616 wrote to memory of 2692 2616 mscorsvw.exe 70 PID 2616 wrote to memory of 2692 2616 mscorsvw.exe 70 PID 2616 wrote to memory of 1968 2616 mscorsvw.exe 71 PID 2616 wrote to memory of 1968 2616 mscorsvw.exe 71 PID 2616 wrote to memory of 1968 2616 mscorsvw.exe 71 PID 2616 wrote to memory of 1968 2616 mscorsvw.exe 71 PID 2616 wrote to memory of 1740 2616 mscorsvw.exe 72 PID 2616 wrote to memory of 1740 2616 mscorsvw.exe 72 PID 2616 wrote to memory of 1740 2616 mscorsvw.exe 72 PID 2616 wrote to memory of 1740 2616 mscorsvw.exe 72 PID 2616 wrote to memory of 556 2616 mscorsvw.exe 73 PID 2616 wrote to memory of 556 2616 mscorsvw.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe"C:\Users\Admin\AppData\Local\Temp\fa8d5561970e71114dc23ce16158f54a043fc4968eb8a00630f322861714ca7cN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2804
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2776
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 250 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 258 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 268 -NGENProcess 23c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 1d4 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 240 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 290 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2a0 -NGENProcess 1d4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 298 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 25c -NGENProcess 24c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a8 -NGENProcess 290 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a8 -NGENProcess 25c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b4 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 24c -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1b0 -NGENProcess 214 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 260 -NGENProcess 294 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 248 -NGENProcess 214 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 294 -Pipe 228 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 248 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 244 -NGENProcess 1ec -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1ec -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 218 -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 248 -NGENProcess 244 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1cc -NGENProcess 260 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 214 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 238 -NGENProcess 254 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 214 -NGENProcess 25c -Pipe 1c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 1b0 -NGENProcess 254 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 214 -NGENProcess 24c -Pipe 218 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 244 -NGENProcess 254 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 1b0 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 298 -NGENProcess 1b0 -Pipe 214 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 260 -NGENProcess 2c4 -Pipe 25c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2b0 -NGENProcess 1b0 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 290 -Comment "NGen Worker Process"2⤵PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 1b0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1b0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2ac -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2dc -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e4 -NGENProcess 2ac -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 298 -NGENProcess 2ac -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2c0 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 300 -NGENProcess 2d0 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2fc -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2fc -NGENProcess 300 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2ac -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2fc -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 320 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 318 -NGENProcess 324 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2e4 -NGENProcess 30c -Pipe 2ac -Comment "NGen Worker Process"2⤵PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 30c -NGENProcess 304 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:1568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 314 -NGENProcess 328 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 330 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 304 -Pipe 320 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 334 -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:2912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 308 -NGENProcess 304 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 340 -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:3020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 304 -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 34c -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 314 -NGENProcess 304 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 354 -NGENProcess 340 -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 340 -Pipe 30c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 368 -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 34c -NGENProcess 364 -Pipe 314 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 36c -NGENProcess 340 -Pipe 330 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 344 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 364 -NGENProcess 34c -Pipe 37c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 34c -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:3060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 380 -NGENProcess 370 -Pipe 360 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 340 -Pipe 304 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 34c -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 36c -NGENProcess 340 -Pipe 378 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 388 -NGENProcess 394 -Pipe 34c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 344 -NGENProcess 340 -Pipe 374 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 344 -NGENProcess 388 -Pipe 36c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 370 -NGENProcess 340 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 340 -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 388 -Pipe 3a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 388 -NGENProcess 370 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3ac -NGENProcess 398 -Pipe 390 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 398 -NGENProcess 344 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:1764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 344 -NGENProcess 388 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 340 -NGENProcess 3b4 -Pipe 384 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 3b4 -NGENProcess 398 -Pipe 3ac -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3c0 -NGENProcess 388 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 38c -Comment "NGen Worker Process"2⤵PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 398 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 388 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c4 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"2⤵PID:1784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3b4 -NGENProcess 340 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:1964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 398 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3c4 -NGENProcess 3e4 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3d4 -NGENProcess 3e0 -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3e8 -Comment "NGen Worker Process"2⤵PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3c8 -NGENProcess 340 -Pipe 3e4 -Comment "NGen Worker Process"2⤵PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3d4 -NGENProcess 3f4 -Pipe 3ec -Comment "NGen Worker Process"2⤵PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d0 -NGENProcess 340 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f8 -NGENProcess 3c8 -Pipe 3e0 -Comment "NGen Worker Process"2⤵PID:1796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3f0 -NGENProcess 3f4 -Pipe 3fc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 3dc -Pipe 3c0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 408 -NGENProcess 3c8 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 40c -NGENProcess 3f4 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 3f4 -NGENProcess 404 -Pipe 3dc -Comment "NGen Worker Process"2⤵PID:1948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 414 -NGENProcess 3c8 -Pipe 3f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3c8 -NGENProcess 40c -Pipe 410 -Comment "NGen Worker Process"2⤵PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 40c -NGENProcess 3f4 -Pipe 420 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 41c -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:1140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 424 -NGENProcess 414 -Pipe 3bc -Comment "NGen Worker Process"2⤵PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 428 -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"2⤵PID:2668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 42c -NGENProcess 41c -Pipe 3f0 -Comment "NGen Worker Process"2⤵PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 41c -NGENProcess 424 -Pipe 414 -Comment "NGen Worker Process"2⤵PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 41c -NGENProcess 42c -Pipe 3f4 -Comment "NGen Worker Process"2⤵PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 42c -NGENProcess 428 -Pipe 424 -Comment "NGen Worker Process"2⤵PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 43c -NGENProcess 3c8 -Pipe 418 -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 40c -Pipe 438 -Comment "NGen Worker Process"2⤵PID:1192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 40c -NGENProcess 41c -Pipe 448 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1252
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2928
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1008
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2240
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:880
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:592
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2524
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1584
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2660
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1500
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a21d8efa2ec55f640417919b89f4fd29
SHA14e869fdbc904dcce47c803b99c74aa22cb6c2f89
SHA25626c6fa179141038ec756921fdd2d87cc0738c0fa4a907ad190c10da596b67291
SHA5127524ac52e33ca681d7a24f6e99390cb5c964c7d12aa0c1c9586a98c10b9aa31d097853417952b279a14f8320c987ee0958f4c03e6f089967363465ec2f02318f
-
Filesize
30.1MB
MD5374a08838262ac3174d54e4a9f6a4208
SHA168710431ba1c18161c307d44ab6a42ff37eaed3b
SHA256770be6530707e021eba0354f2844c993bdab0a6ed8fd77ccf507e4a7b75afc5e
SHA5127c776cff4fa889e8a11d6e43b2c17ca5ea81c88ddb6adb747afc33cca279af57474805be2a5d49c96d7d795a5e72b9ac1cb06f27fa2dcb78ca6469842077f290
-
Filesize
1.7MB
MD537d315b5d488cb3ed16e9ead10679015
SHA143b13102627902f8955455ec8fa196445f418e7b
SHA256af36ea599d352ad398ac1e90bcc5c4e9f56e3b4bb5acb951c8544bbcbd743de0
SHA512a8ef53e56500f323701618310b0df8f8e0bd60c9d1f5a350b66c31608966c2a08cff32da71ab7fcf777a0b6854a0681a18d12e3548732b4ef1fd0a2ab28ac659
-
Filesize
2.1MB
MD581d40e292f8cc4ab60e63a3aeea0faad
SHA1d1ea43ecdbfcf8e942b1cb8b1cd6c3e0ac844c03
SHA256c1a079468da3a1b4d5e7b11288edecb002bf8d012d97d2cf6fbebc8a31addd40
SHA512aee0bc64e588b82c8811988a68059a54d27e96d0d2cba160758a4d1fe1aff8897ae01314f17877657f3b4b44048d9a72b5831c2ea1009005b95dbd48b67607bf
-
Filesize
1024KB
MD579749c7fe72befefcfd9750d739ef1c4
SHA15f37d85b1b55876c3261c888c01f845461abee12
SHA256920f4c5f40f9ccbddfbaac83cce0056a7b3f165cee9d08f2680cb3f1406db806
SHA512fc84a9724b2b4075a50a987dc1c504b56af7a99450709c3e95b82511339292b17897b436d4b5960aacb9bfe93fdac83a43b63fb0b107cbfaede698a5216ae89a
-
Filesize
872KB
MD5a00fab5bb37183b3acffc8b9c4ef1f17
SHA1641b89d98724b3d5badc79e7683257b1563c9c62
SHA2566be93bccc2a2671992b60ab1a02a56a812d280b650f060efe5f701019ee8cd10
SHA512a255193bb55376945435dbafb056e6922961efff9860f3732ac15c0d3b528e160ca175ee9bc4c5ab28548c49588bc70ae3b03a0053a030651e7f8e711f619ad8
-
Filesize
1.6MB
MD5c12c2e41e9a9b9db0cb80e256f5c8d00
SHA1a0101a988703f22204d1de8a5087b0139969cd92
SHA256595865fd3c7e12b2133e7824cfe1a17c12758e978c27af7541fd7eba55017c68
SHA512a05792f9c27597b01065fe3a789df74179cfe5ad3c3540a2d33cf8a4a7ce71ec3bbfb7e4013791ad2609720397edc0d4d36c5f62db4fc1cdf709a02f09f8825c
-
Filesize
1.5MB
MD52a8b2b8ac3750a1361193784ff682709
SHA11be5c7cc092cb72c9b4ac9c20bd0c3632543f14b
SHA2565994f8b0b05b2fbd8b635bc11573d8ab0889ee38b0017df49b382ad592b6d489
SHA512a2c3544cd467ac4eca6f8cc79700e377bbe67ad6e529dc3a1885f3cd4d9628c74dd0db690a03b362a7d0b3ae52ec7104d0da1f494bf35f93622e5854e0f94995
-
Filesize
1003KB
MD5e287105fc5268ed25ee47193981490c8
SHA1c9d7c3f8f29502bdd7134b1a7378e3cd9a7010fa
SHA2566f7ff09b495a6adbb1df577cbb0a55d69a6b9ca654767095478bd1589becdd07
SHA5128d8c360ec1dc61c2cada8b4f99d86b4d813b1ac9e74f49ffa25994f4a3a5627221d3e9226a5fa92927e50e9df06584b088040d043181cc6c163dbe5d48dca872
-
Filesize
1.6MB
MD566c0955c3e02e3b636c9d59775dc3244
SHA1bc3a84d0b7e0c5b63b63d5ea03d992e72390db64
SHA25682d0dc9258ee430ba7d9239c30cb69a6e167710b3adb1e0411f28f8c91431a8b
SHA512c3f825279fa897bcd3868321655b4607d02ba030beebdceedcbed777b82520d639325328607d2d78a9e82bcc9aba5595888509cd0878fffb977f468dfa72925b
-
Filesize
8KB
MD5e9950c799612258e305893ca0b30e4f2
SHA184dd86afd303d797b8b1a0c705799744e145c348
SHA256f71b9b3b8fe5652c4b20230fadbfb8546f7dbd002a67f412ed3157bfc6bbebed
SHA512775aff5b052ef37ced4547ec9ac5a829a04cfe293d1f04a0b1141ccfab411dff9aaf2900a8c089f4b4cbdca754be87638cf78c4c6e8f7530cb784aa187d58994
-
Filesize
1.5MB
MD515a151970e75637f49c8a954999e3f04
SHA14216f20893ac4eb14c29e61a933067225bdb2d13
SHA2563f581be130f151743fd5fdb717573e6348b385f7dcc9a78f49052759e29c3e83
SHA512f8b974ed9b5f0457c74f323fa44301a585be41631e5028a48c7825f76d0453a1347bfaf4115e78c7d140b24cf90402cd1b9cb79b67ee00085a98bf8215d9da1d
-
Filesize
1.1MB
MD52ffefcfa6f4fcd2c012a481696d8128b
SHA108a33a53375d08beeed075ab83661fbd05c9a27e
SHA256173fc823abbe62fafe164a1dc7bd129145858661ac631b389341e06c5dd7b9d2
SHA512557d5ff048c0e972c7f1cdfd3b101f172a2e2c16575d9aa9325dc97057676843b9ad03e737aa95b73b9f8b00fe9bb9573222512cdfb0c6f7b218fe7406832e00
-
Filesize
2.1MB
MD5903830f689da4677a1d4376589825e27
SHA163688e75c0dc9fcaae13e16ef0d231aec1489fcc
SHA2564cd0d6380009a20e3b0729342845322422d280be68b2cc193eaf3104a54c5f79
SHA5122ee3e9df78c3e8d40f253c9bb126870eb8da991cd29d43139def1847f9dfcbe4830e781ddb7c1e049e48268a9a60728503c40bed6f81a4415f7db00a2907a964
-
Filesize
1.5MB
MD5dc8d3e6cf2182e2a61a127650f1a6a66
SHA1c73530be0a4be806af2b3f96fc503d51e2b38377
SHA256a30ddc8a4e9511f9450440b3b17760cfd9f35c481c7ab377953ec7fa07b118a4
SHA512c93000179a1a2f186ac446eeb3724ae5cb1d8a2efcecaabbca5092ef76242b63e61fcbaab019a35d5e167999b3508f2ca914f14a6f57d985d1cb7dd449c3e78f
-
Filesize
2.0MB
MD5109bfa320fd06b29139695370d261218
SHA11f0a6816843082c7137496b8499864ac415c5bfe
SHA2561ff94919ffe94bbcaca17abefd88d8b0e30fb5a7ff25f371c84c4665c76f4067
SHA512fe9a94f7aa122616140b7e23f80bcf23f3ff5e64a460b03374695c0f1b849b4dd09a883c536df447b61830da4ca3ddf910a69d7f4a7c7dfd7273f3e6fd7efb0e
-
Filesize
1.7MB
MD51836e1f494a5cdd34bf4d13af94902f4
SHA151fa0771f224496302971e30266f53e45b6701b1
SHA2562bcf95c2eda4c45833727d32ace6139d633626e5f4873653e005e49d80806ecf
SHA512167f91aefdcead72f543107117339e2fc2815a5f26fa80140cfd21f940022094bbca460061e4a60693b7d9884148212f7cff6b412c77df9857f341af04e7d2d2
-
Filesize
2.0MB
MD5618f8fc6c50d0a1f4e253b232f497e27
SHA1d3f8f16dec64c8cef6c0ad0f14088e1d3b4e485a
SHA2567925984185c5f3bb7001ef20072bd3254de0a47acf9c7f64d54114622df1af08
SHA51253ed70a2c4bba3ac55d2e3b3a005365fa44ed691a35d3ae6712e746510ccd3c8c3c93120a7c7e9f9b821e03f427d0b22e0ca522b313098f25fc5eb21b0004fc7
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48327efdeacff754940eb46972ff67f3\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD5b05d8e968133c135ffae6eb556dc9594
SHA1f6c686427d5839206dec582dd3e46149b1c5b452
SHA25611969bc8b719fb67e8c191a60322313c6b01407519c145b18c2e9a64e5c43da9
SHA512aee69e64d711a1da14bef1465da666fddb5c36d9aa0829c45a513683cab103190c156ab1ea35cf4eb431a3eacdfb3012dc6dd83988c43d57500a525cdf8e5724
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
Filesize356KB
MD587111e9d98dc79165dfc98a1fb93100b
SHA14f5182e5ce810f6ba3bdb3418ad33c916b6013c8
SHA256971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42
SHA512abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD56f9f108fa2279e1c28463809d1ade2ae
SHA1f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d
SHA256bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8
SHA5129a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5be0914ec6bc775ef1c7f93f75a1861a\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD535aefa05e77d58d31272bb94c0ef25f5
SHA1bef4874a17cfe29939ca24f0adbdaadb80670632
SHA256efbfd4c3ca295cd7fdfc67072136668b0c7de72d40162bc28e6ae919eee6c66e
SHA512e88c5c7e7a37ab8db4ba704d172651de429de39abf8a07f166cf90fad939fdf6bfc94604111bfad534d5159f60e7d63b34a69cc7c55fbe7ad6680aa0a9063327
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize1.2MB
MD50637ad2bf6fc5ac1d29e547155bc818c
SHA1a502879466b6dd37eae5881bbb18353f97623852
SHA256868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f
SHA5121d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize65KB
MD5da9f9a01a99bd98104b19a95eeef256c
SHA1272071d5bbc0c234bc2f63dfcd5a90f83079bbab
SHA256b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d
SHA512dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
Filesize278KB
MD5d74d434aa70ce827715b5e0ac7eda5be
SHA1b53f3374be4c96af51c78fd873de1360f17c200f
SHA25654701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496
SHA512631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\eb716e5a0332d968e11619200c539c9c\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD50ba4b028d198df981a9604a21963a727
SHA14686b50bf2d8622684ae145817611bdb841fc33c
SHA256a3b3049cc3df2db2e0c5c3266c8674e9240af80b3fb5502acc1230cbac2d2116
SHA512218518721c9765bdf88d250d0c58c16ea61a1443b73e402d1c3219533aecaf92e7b0b01fd0f6ec98e0175be5602e7e1378b5160feb6d22331a20879a0ee496d2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.6MB
MD5c76aceb055e3a55f337396fe11557af4
SHA119c846611e1b7f182fd8f76f49a49e4a03f52332
SHA256656032c0ccf7626174317fb4b4d35270c3588d3bd6d83aecb078896d9ccb5465
SHA512c8510b91531ad33d740b56b74cfd9c6ef244fa771402f10769055e6b46dd016ad170e74b7dea437ab7797164094831903955357144f99fdb15f841c7305b7cf9
-
Filesize
2.0MB
MD5424e35c1c86601b05b618bc98ae37eb5
SHA17b2df6ca6e35921ab75d7b0fbf2fb825a146bd07
SHA256c7584c1087e250e3bdb25eb4cb5813034040f089899db0999c3e1e85e4612c11
SHA5122df2015f95a37b5675f7b5ff7c488f77c5c2cb12c7753e076fc1ec92c57130b7a26fe17464bdb82acc28214bb5e17928c0695b4d3e51e72c55131743ab629449
-
Filesize
1.5MB
MD556b20a09275bc5de13481651932faaf3
SHA1737511e6f94444873bf45bd3058f3fd64f1d682c
SHA2566b2c32871c50534f9988d332eae2056df01e1bb41d41ae97f0e53cfd6c5d24b2
SHA512d6750153b4bcc1240e524b2b9046d63d0c1f3d4b8c4339d22c2b4c7cc1ef25fcde6f646349dbaec9fe388efd24873dee0c06ab028564fed0af3eb7dd7554f286
-
Filesize
1.5MB
MD5d4f3c513509dfec61566d6a5dcd6a404
SHA1264eb4b58ba95f8bd33f47505cadf67a580bdb26
SHA2560d9c75b1ef5d7f15cae15bcd7add994641516500c856a63fd2a3e269fad42c8f
SHA51287f28b2b9e5e51e1766a496584795723955eed4d8bf88afc8a15f74d1803794691c80dd22828e3e9ea307aeeff0942b5b0d3b8732563822f333a3c33c1f9c69f
-
Filesize
1.5MB
MD577bb80e112c960aac865d8cc3c2a4afa
SHA1d33f9c628d92e31227468d006e95120e29b56b22
SHA256179fbf21b15e6d382ea936ae48e994c35d7f38fff4a838f061fe5de27e9e0271
SHA512f4e601ae2433cfc5bf82b3dfa829b0f8d45db7da7347dc79c5664952b494231726358bd7471e4907691b4dce0233c08e5b28182ba1ff204a37b39b7f1278c7b7
-
Filesize
1.5MB
MD529fab49ea0ecd7cbdfd4beafc56c103e
SHA13652f1041d1acdf6d682a5ddefc9e8a5e5e985b7
SHA256fbb35fa25dea0814346cdcaa644fe1dbed7c530b173dfa13b0ca79eef17f8ba9
SHA512c83641750a391292cbd1ef6a85112f5ad4f1a4639e9c526c1965ccef6cf0da06748766a81efdf8e52b08b4f199a5ba32709a47ae480af96fb359fc245c818e1d
-
Filesize
1.6MB
MD57bbc3a82b51d089ee33960f113c34113
SHA12e051af603d431eeead233897c4f54f057196356
SHA2562c8a76493958665ff4f1b559358bd683ec4a599ad8cddcafca07c8c32bcc80ad
SHA5128b38bf519fac212819a0028d359b6b750d28d2b9a8bd18b42ad1217e12039771117fdbb78e2ed25cda612ba7ce111afe887b30d1266682c8239113a0796f5cca
-
Filesize
1.6MB
MD50d27bf38ab306383410944addd5e74cc
SHA1af5ac4b07e519be45f149d464a9eec970ae646ca
SHA256c957d76c0dfb43059ac95b689dbcb0b1f3318c478d8fdbb7902277d9aa8c1cb1
SHA512345145db424d178a4e1554d6e45b973b593a9f3ec9d91f40418b2a945290e4effdc3026fe3783ffac2041675660aab6e5c02a1eedfcc91fa58b2ae3d125b9e07
-
Filesize
1.2MB
MD587bcc2d0461c8f0b4cc9f28e8886168d
SHA180324eaa8ca497e1241cd6b6dd8a0642fcb27878
SHA256a77223b2d58616392b0b0654387a6d84e5c900e91e26b6ea4ba63e1a962da160
SHA512a46327f18200a36fae780ba99e373db6beee672deca80ebb209385d812578710a88d52d49a5f7271ca06a07127b46e2f09ae81c6d955805211071d0a95cebc56
-
Filesize
1.6MB
MD5be1efc0e7564a79f4894ce1b0486401a
SHA1c5a444341b10fae2041caf882911b92abb7546e9
SHA256a25272560d24818c240478c36fcc0930877e04b8679346b24123f086013073b4
SHA512ac517deaae839f77595cc4719cd4a9b99d760c9c5ef6f34d2c8ae760bee512a1a9694ab21f3d49369f50cf881c39bcdff58286f75649071d04bcd2cf9192c026