Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe
Resource
win7-20241010-en
General
-
Target
937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe
-
Size
858KB
-
MD5
f7b2df02e4a9d3b9390af8cf8bf16580
-
SHA1
755a73d39319c2b1d7d6d06430fb2369411cc1d9
-
SHA256
937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16e
-
SHA512
33c2c71572f329c86d5745d6270299f8a15e76fbd27f45ba449dd1f52656a43bb3b3a75ece63c6f8064b6d57c2f6fea4ae7caf88cdc3b69a0fdeca9dbe06bff1
-
SSDEEP
24576:qpoXTBCRt8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:q+XlOgDUYmvFur31yAipQCtXxc0H
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 780 alg.exe 2836 aspnet_state.exe 2824 mscorsvw.exe 2592 mscorsvw.exe 2108 mscorsvw.exe 3052 mscorsvw.exe 1312 ehRecvr.exe 1768 ehsched.exe 2576 elevation_service.exe 972 IEEtwCollector.exe 2164 GROOVE.EXE 1756 maintenanceservice.exe 2392 msdtc.exe 1708 msiexec.exe 2752 mscorsvw.exe 2812 OSE.EXE 1100 perfhost.exe 2064 locator.exe 2332 snmptrap.exe 1108 mscorsvw.exe 1672 vds.exe 2984 mscorsvw.exe 1000 mscorsvw.exe 2092 mscorsvw.exe 2948 mscorsvw.exe 2500 mscorsvw.exe 696 mscorsvw.exe 2716 mscorsvw.exe 2324 mscorsvw.exe 2868 mscorsvw.exe 2376 mscorsvw.exe 3064 mscorsvw.exe 612 mscorsvw.exe 2896 mscorsvw.exe 2184 mscorsvw.exe 2600 mscorsvw.exe 1184 mscorsvw.exe 1600 mscorsvw.exe 2960 mscorsvw.exe 2924 mscorsvw.exe 1632 mscorsvw.exe 2500 mscorsvw.exe 2532 mscorsvw.exe 920 mscorsvw.exe 2424 wbengine.exe 1660 WmiApSrv.exe 1052 wmpnetwk.exe 2764 SearchIndexer.exe 2104 mscorsvw.exe 3040 mscorsvw.exe 2156 mscorsvw.exe 2288 mscorsvw.exe 456 mscorsvw.exe 2340 mscorsvw.exe 2272 mscorsvw.exe 2124 mscorsvw.exe 2096 mscorsvw.exe 1356 mscorsvw.exe 368 mscorsvw.exe 592 mscorsvw.exe 2580 mscorsvw.exe 2484 mscorsvw.exe 2220 mscorsvw.exe -
Loads dropped DLL 38 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 1708 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 744 Process not Found 456 mscorsvw.exe 456 mscorsvw.exe 2272 mscorsvw.exe 2272 mscorsvw.exe 2096 mscorsvw.exe 2096 mscorsvw.exe 368 mscorsvw.exe 368 mscorsvw.exe 2580 mscorsvw.exe 2580 mscorsvw.exe 2220 mscorsvw.exe 2220 mscorsvw.exe 472 mscorsvw.exe 472 mscorsvw.exe 2604 mscorsvw.exe 2604 mscorsvw.exe 2960 mscorsvw.exe 2960 mscorsvw.exe 1016 mscorsvw.exe 1016 mscorsvw.exe 1244 mscorsvw.exe 1244 mscorsvw.exe 1552 mscorsvw.exe 1552 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\System32\snmptrap.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\System32\msdtc.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\System32\alg.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\fxssvc.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\vssvc.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2cca79945f6c6349.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe aspnet_state.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCC25.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDBBF.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE59E.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE1E6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD73C.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDE10.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE3AB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE81E.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86} SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301bc075d931db01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FEF7B794-725D-4BDF-8825-AC9027D12089} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 388 ehRec.exe 2836 aspnet_state.exe 2836 aspnet_state.exe 2836 aspnet_state.exe 2836 aspnet_state.exe 2836 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 840 937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: 33 976 EhTray.exe Token: SeIncBasePriorityPrivilege 976 EhTray.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeDebugPrivilege 388 ehRec.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeRestorePrivilege 1708 msiexec.exe Token: SeTakeOwnershipPrivilege 1708 msiexec.exe Token: SeSecurityPrivilege 1708 msiexec.exe Token: 33 976 EhTray.exe Token: SeIncBasePriorityPrivilege 976 EhTray.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeDebugPrivilege 780 alg.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeTakeOwnershipPrivilege 2836 aspnet_state.exe Token: SeBackupPrivilege 2424 wbengine.exe Token: SeRestorePrivilege 2424 wbengine.exe Token: SeSecurityPrivilege 2424 wbengine.exe Token: SeDebugPrivilege 2836 aspnet_state.exe Token: SeManageVolumePrivilege 2764 SearchIndexer.exe Token: 33 2764 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2764 SearchIndexer.exe Token: 33 1052 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1052 wmpnetwk.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe Token: SeShutdownPrivilege 2108 mscorsvw.exe Token: SeShutdownPrivilege 3052 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 976 EhTray.exe 976 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 976 EhTray.exe 976 EhTray.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1616 SearchProtocolHost.exe 1616 SearchProtocolHost.exe 1616 SearchProtocolHost.exe 1616 SearchProtocolHost.exe 1616 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe 2544 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2752 3052 mscorsvw.exe 45 PID 3052 wrote to memory of 2752 3052 mscorsvw.exe 45 PID 3052 wrote to memory of 2752 3052 mscorsvw.exe 45 PID 3052 wrote to memory of 1108 3052 mscorsvw.exe 50 PID 3052 wrote to memory of 1108 3052 mscorsvw.exe 50 PID 3052 wrote to memory of 1108 3052 mscorsvw.exe 50 PID 2108 wrote to memory of 2984 2108 mscorsvw.exe 52 PID 2108 wrote to memory of 2984 2108 mscorsvw.exe 52 PID 2108 wrote to memory of 2984 2108 mscorsvw.exe 52 PID 2108 wrote to memory of 2984 2108 mscorsvw.exe 52 PID 2108 wrote to memory of 1000 2108 mscorsvw.exe 53 PID 2108 wrote to memory of 1000 2108 mscorsvw.exe 53 PID 2108 wrote to memory of 1000 2108 mscorsvw.exe 53 PID 2108 wrote to memory of 1000 2108 mscorsvw.exe 53 PID 2108 wrote to memory of 2092 2108 mscorsvw.exe 54 PID 2108 wrote to memory of 2092 2108 mscorsvw.exe 54 PID 2108 wrote to memory of 2092 2108 mscorsvw.exe 54 PID 2108 wrote to memory of 2092 2108 mscorsvw.exe 54 PID 2108 wrote to memory of 2948 2108 mscorsvw.exe 55 PID 2108 wrote to memory of 2948 2108 mscorsvw.exe 55 PID 2108 wrote to memory of 2948 2108 mscorsvw.exe 55 PID 2108 wrote to memory of 2948 2108 mscorsvw.exe 55 PID 2108 wrote to memory of 2500 2108 mscorsvw.exe 72 PID 2108 wrote to memory of 2500 2108 mscorsvw.exe 72 PID 2108 wrote to memory of 2500 2108 mscorsvw.exe 72 PID 2108 wrote to memory of 2500 2108 mscorsvw.exe 72 PID 2108 wrote to memory of 696 2108 mscorsvw.exe 57 PID 2108 wrote to memory of 696 2108 mscorsvw.exe 57 PID 2108 wrote to memory of 696 2108 mscorsvw.exe 57 PID 2108 wrote to memory of 696 2108 mscorsvw.exe 57 PID 2108 wrote to memory of 2716 2108 mscorsvw.exe 58 PID 2108 wrote to memory of 2716 2108 mscorsvw.exe 58 PID 2108 wrote to memory of 2716 2108 mscorsvw.exe 58 PID 2108 wrote to memory of 2716 2108 mscorsvw.exe 58 PID 2108 wrote to memory of 2324 2108 mscorsvw.exe 59 PID 2108 wrote to memory of 2324 2108 mscorsvw.exe 59 PID 2108 wrote to memory of 2324 2108 mscorsvw.exe 59 PID 2108 wrote to memory of 2324 2108 mscorsvw.exe 59 PID 2108 wrote to memory of 2868 2108 mscorsvw.exe 60 PID 2108 wrote to memory of 2868 2108 mscorsvw.exe 60 PID 2108 wrote to memory of 2868 2108 mscorsvw.exe 60 PID 2108 wrote to memory of 2868 2108 mscorsvw.exe 60 PID 2108 wrote to memory of 2376 2108 mscorsvw.exe 61 PID 2108 wrote to memory of 2376 2108 mscorsvw.exe 61 PID 2108 wrote to memory of 2376 2108 mscorsvw.exe 61 PID 2108 wrote to memory of 2376 2108 mscorsvw.exe 61 PID 2108 wrote to memory of 3064 2108 mscorsvw.exe 62 PID 2108 wrote to memory of 3064 2108 mscorsvw.exe 62 PID 2108 wrote to memory of 3064 2108 mscorsvw.exe 62 PID 2108 wrote to memory of 3064 2108 mscorsvw.exe 62 PID 2108 wrote to memory of 612 2108 mscorsvw.exe 63 PID 2108 wrote to memory of 612 2108 mscorsvw.exe 63 PID 2108 wrote to memory of 612 2108 mscorsvw.exe 63 PID 2108 wrote to memory of 612 2108 mscorsvw.exe 63 PID 2108 wrote to memory of 2896 2108 mscorsvw.exe 64 PID 2108 wrote to memory of 2896 2108 mscorsvw.exe 64 PID 2108 wrote to memory of 2896 2108 mscorsvw.exe 64 PID 2108 wrote to memory of 2896 2108 mscorsvw.exe 64 PID 2108 wrote to memory of 2184 2108 mscorsvw.exe 65 PID 2108 wrote to memory of 2184 2108 mscorsvw.exe 65 PID 2108 wrote to memory of 2184 2108 mscorsvw.exe 65 PID 2108 wrote to memory of 2184 2108 mscorsvw.exe 65 PID 2108 wrote to memory of 2600 2108 mscorsvw.exe 66 PID 2108 wrote to memory of 2600 2108 mscorsvw.exe 66 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe"C:\Users\Admin\AppData\Local\Temp\937853addf341fcad48edf60e554f6e73b600b5516b70a5814834ff3b202f16eN.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 25c -NGENProcess 264 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 270 -NGENProcess 244 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 26c -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 280 -NGENProcess 240 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1f4 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 28c -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 27c -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 280 -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 250 -NGENProcess 278 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 244 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 27c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f4 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f4 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1108
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1b0 -NGENProcess 1bc -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 25c -NGENProcess 23c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 25c -Pipe 1bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2288
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:456
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 240 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 238 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 238 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 27c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1356
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:592
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 28c -NGENProcess 274 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1b0 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2220
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 274 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:2808
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 294 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 1b0 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 290 -Pipe 1b0 -Comment "NGen Worker Process"2⤵PID:2432
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2ac -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 29c -NGENProcess 2a4 -Pipe 284 -Comment "NGen Worker Process"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b4 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1016
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 23c -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2b8 -NGENProcess 2b4 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:2220
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b0 -NGENProcess 23c -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"2⤵PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:1844
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 23c -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 23c -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2388
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:1740
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 23c -Comment "NGen Worker Process"2⤵PID:2472
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2e4 -NGENProcess 2f4 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:1244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2a0 -NGENProcess 2d4 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2e8 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:2960
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1312
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2576
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:972
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2164
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2392
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2064
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2332
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1660
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 600 604 612 65536 6082⤵
- Modifies data under HKEY_USERS
PID:1312
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5a469915980efd5a3dc365cd23f397ea6
SHA14633b713d5a6389dac8498289c819a9a3172170f
SHA25652c2ce2da41ff20d537c65b75b1372e426cbd78c94c8bf1e36536e8d031343dd
SHA512c79365d07d0611e3382a1e39878753382d4873d9d54217c7ea6091365fb8a16c782c45add29b6182dc45875686213824afd990d1a79ca2b3b070510a808129ed
-
Filesize
30.1MB
MD53f34bd380c8d4634913c453254ee936e
SHA16e86530971e0fa7e5f2d55caf9c58a97f6995d51
SHA25603b03fed8f1fd410e1dd6aad9f99e4a7f3e4e3bae809ec1e5ba51a428d2eebbe
SHA512cd4602c42c4b124911625306c59334809e871e54c0ae2f0fdb9c7c5d8b91066df62a8da1f7650da10039847ddce41d68f83c77ffa3b732f7ca19cbf179fcfc0c
-
Filesize
781KB
MD5d6f652c07ee395fa0f8f5e98329ad168
SHA1711c918b862f6f3ea8320e84268a5755612d421e
SHA25670801f0ef22c884f5962aedc981787b43bf3c1455e6a495656e25f094bf5243e
SHA512b8d13f6e974cac5c63abe35e077ce6a07580120043c409775e73c44e0fda5b410b7343019f59f90d92ec68d9dbf7f80bc49fea8c9e499aceb2af398888d45edc
-
Filesize
2.1MB
MD58553729412bd058bd236538091a3e894
SHA1b09bce2454e8ef19667909284f6e04ee86d66240
SHA256851ffe76e28dc97d857be57cfb4c2113f6c1ff081fcc1421a7d5adc30c161879
SHA5122a6d7064ca991ae73034b214ae9255090aaa696446baab36e4151e62f5636af8adf7252c5b1158795f971850c78a83f026e1c8b7c3452b4833d71c572f24a5af
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
648KB
MD5b06d6e8e5126e84e290a95f9fc8b75f6
SHA18fe644d05d1226f1f3cb28d21558e04b42fa4481
SHA25627085a5206eb9873d6c410f4405ae0ac427a94d6b5563dbc4dd6bfc660091b4a
SHA512bc5b87a7b5134c3bf878fde3b922cb6390704bd97beae94ac573b0ade398eb835f5b32109d78dec33e5c8365912ba76f9d5c480a19e88b6f1f9a0212c2998ee5
-
Filesize
872KB
MD541a610a1f303b59e35f8da7c63c8e79d
SHA1184111bbbd3a7f16fb6bbd8bee46cb7555a0dcf6
SHA25623a7da8bfb1fa95869c41f40302daac308683206b82611cdd29e3a2f1f9a4c21
SHA512d4531a46e3f0ed50f07c4dccfa6a9c88c6ff94714bdc05a43f7fb67bdb810877e85301305d534e2da93e68d529d9cb957f5f44dfb7d1000e99053b2f8afb3258
-
Filesize
678KB
MD50109f59ba2ad138ece46d98a9ac4c51a
SHA19086587ebc33fae918d7c71f70aa44be0f4bd253
SHA256d488edb52498cd5a08882ae2230e331ace8ff561abb2a968d859123c37f726b5
SHA51232de0e367c679794dbfc6f2c0b70ae2786087da5be12d78b47e757055409d62652cd75f56d97fbd6164169f3a27cd1cb870baebbd9fe90fbcdc70ef8dbdacdab
-
Filesize
8KB
MD57edd90afc437e69a178074f52d03c282
SHA17deb71f38b5ba79676550f27880be332ce438e36
SHA2566e4a535ab7f146940acd8d0e7da49d0fd35b045ed4c325b7c809f94680010505
SHA5128d3487220ccc9753f0ae01e3076504570e4f4334dbe57a0883e11d75ec53d61c0ae674bcae5f9034c992246dfa3e6ea0f6b91a40ad56dab5e93c008f160a48c5
-
Filesize
625KB
MD522c11b35b02b9f283447b8ac4e957684
SHA14f89cb5fe94202eab988cf9d6feba7e197b0b026
SHA256d5fe1e444e4c392f01581c2de3541129be57a3b1d65f35cb777bba4f65336ee1
SHA512c504f0a91240e913132eea02ff300b26e75ba08c13e7352399ba3ebe44f65d7a7a64da9d0753e2498a4d47c6845c71314c5cc8465d5d2cec3dc03bd2f288875b
-
Filesize
1003KB
MD5e95f1a66bdabca4eed2f3b5de366584e
SHA1e4fc12291256ced337044f04ca642af8be612c9d
SHA2565a4b21eddf5757898d8acb55aee66cae0b39f7e8dca4a8c085f5c7db25625335
SHA51205249d757ea7e9a93088660ddf20909310adb675976612f3f30fb2c92ff8fd217d3ec482657a9a244b78ca1256c26e1250e4ec939fc6c191cd23c30b051f3321
-
Filesize
656KB
MD54c3020daac09c93c6ae32f5fa473d5f4
SHA19275a54d129b5128844f80bded3fa732bec76da4
SHA256e57ac5a79e8ce18d5309e1185841907d1a017dab9d72ddbcc8725009396768b5
SHA512e19600444f47cadf5caef7fea18db6ef2658f20f139996332d177020025ef581e8791438ca9745dab88177d8db70889737b1bb3acecca965c3147bee5f174f18
-
Filesize
587KB
MD5719feb8a1a83a2bc42af5ce27d17c37a
SHA1666b554e25f37e98c77924d76d0787f40db54b92
SHA2561abb67a6cc42dd98a4c9712ae5d35d9bb2baa82e9cc1a01b1bfa75b84092a709
SHA51264488c72920731f403cc47abe860556c280f53c2234ab490e697e6ae88a5bdca97ccc5defa080bb05c4af4173ce5c2d012a3115d29dadfb50c9f30e0d66bf99c
-
Filesize
577KB
MD5e20784cc92c60918c4c0d8e5227fb63b
SHA1e9296be93919497443023768559d9f63c416a23a
SHA256b8e53fc0bf3bbb8f1940e1ce5e888172161f21e0a5939fd731d65a4b9889157c
SHA512315677843a9fe29c76a69ac8646bd679e62ac7aaa4b7e1ae4a1c3f54605c115964a11f1d253b194b300e0e4a1c1bba365b98eb44b45d30de9ad5e357ec9eb0d3
-
Filesize
1.1MB
MD5a4dd0bc707afb4b9eb78546fb6499be9
SHA1f0a25e9d25ee39396219d9dfc94ad90263157e5a
SHA25611fe5ce6333c641ea2e07353157f3f390d947f2daae5cff2fd3e22c4af05861c
SHA512b5d3976e0eceda3fb2d2ccfb3980caaf115e60847d4f6ffb2b517ed6a10edc7e03fc9ffa6498917c24038f3ee19a99e114049711993c6619212b446cf8dc3367
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\3a0ae44e04afc93ffd5e2af53a25d0da\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD57c3766bfc5671320fca985a9e95e7344
SHA1a3735515e4395d51e4027b2148f4811ccaa7b543
SHA256ddef847dad87b5e96054ce3d1482d611778a5422e0e78e2648fdf5d3d4be4978
SHA512a21b9d115892e759e924b665e8570a474fa198b24acb249d93e10d03488cc6361d2b31f5f6d2efd27bf0b98b42e18c90aa9687208b917d7fac5cbbb4f009fd63
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\468e29a55405b9e85a203267372afe6a\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD5405848e86695192fba192c131b3946cc
SHA192e1c3a6c4de1d5810f97e721e5cc7d72f2ec27b
SHA256143157f8231d3bd72e03ac69f466f19bdfb68984da97f993946b895de562bb0b
SHA512e8473a31bb78727d2ae57cadc4c53c184e8092e7b29174024b3ee0a442a13265f781f3b3ccd246122a2e9f80ddbf6c55d9b41349e46ba4384c80a29c5f83a404
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77c2c41b385e1e597e216225b4dc2145\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD56b3bb4b643cb779940cc0b1adea870ee
SHA1bdd98c52d0521a394900d3af7ca1e7d8865fa96c
SHA2562ca6a97186c24d8fd7a9f719190d713d8598b2ed3c32069eb5d837ba4c013f76
SHA512f2585094e372392356ed82088b34cac20759d6174efe3b2c8c95dbcdbde70b226e8565ec76207ec8dd2eeb5670d6037b7385436087b5ef01e33a727412eb71b8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c87d866fd7c61399edca08521bdefb29\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD51291737c225cd37792ed0c7aa0e2af9c
SHA1f8040ef748df4930f712b5a42c59762ff7986c6f
SHA256937b16dd497967d0ce6be4bd7555fa48f9ace0738a88578f666c1527f43cc8b5
SHA51285d2051d6eb64ecb00eccac452b3717302cae811dd0f1b4003b5a3b1c68046e35b458a70620a166661894d31ec1a894862152db5f36ad448b3edea8a1155278a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
Filesize
1.2MB
MD5a79467f398f410101c0f564696b03793
SHA16f36df24742bd071b30301d1c96dcdd5d42f1498
SHA2569c252fdb8f64e14ce6195a43046ed3e2ee2508a5562a6086cae8172449e0f311
SHA51228edbcc56b0f5464c50b6628739c569ad4b1440234ecb8e8939eafaae50855354633d06eefdf474ffebc5dd81b2c107deec4daf16039c22c9d8f18936cb318f7
-
Filesize
2.1MB
MD5fbb166ee6061fc590c781da078377d41
SHA1bf4fa2be1a2f51564594ca00eb5520999d7bc5e6
SHA256474644219c455c30afb8b0663fdea3b0b8b1509da7104ef2e6cddb3fef38672d
SHA5128d52e492ee30bc798fb579c34acecb33c408f6c9be44944f59a1fef31312025358c5a951f41a3dd46ab43082684e3668e2435543ae563d2ce6cb54da05b4cc77
-
Filesize
603KB
MD57688ed26546cf7025ce699687e264292
SHA1ff09bdc6437ed00a31dd9ddf9e3702d0e696c8c5
SHA256457d4711ee76df9b2a2a7bda4f009e69b628b08f4b2a458e221159d43fc33874
SHA512b9762c0503dfc9665d1fd608dbca9da73f4fa050d4fa9c2a2ba699020140f24588912a362a79bd6671c538e50dec2132af8638556e6e4ac34d5c9035d929dc6b
-
Filesize
644KB
MD54f178d5489ec22f76ee8fed3f0a183ce
SHA1aa0b5940f2ec393994399481db73e1b8046eb3bd
SHA25694355f4261d3db5219773fe49c14bd2e4d52381c7c5cd9ea41654d84514e5960
SHA51251ee1fc9337e738e0bde453c948095383a76a7687fdf46375462bee0d98b47f1ba0ea119b7943e754ea2b24dfb4fbdcab349cdd4f820a6722987e4e8d9dd1574
-
Filesize
674KB
MD55eaa4999b0dbfddc7aa864e03b9b28eb
SHA170a310af4a8f11b1cc902aa22e1923dccfecca80
SHA25638f2bc379c7b5e72f5e609097229f89aff9f3c51dc1469a3a7c6aa89f1617e7c
SHA5126ed4e7b3e6eebfa6d1f550641e0494c2f0e7b5e695106099ca04097b0d8fe7ead0d24e79e1bc4587d8150341a120b4236d16c94fb1242fd41c4ee6c3b9c94822
-
Filesize
705KB
MD58816803935110e05728e652b507acd2f
SHA1a96233c580ede074b54964b1837e8f8c5ab49bc0
SHA25675299d7858ede33bcef84269c4c16f5391a5f4722d142b818bb043208ceb589f
SHA51256e4f00a77bd1993a4754f54ec63af42d875e2ac03ffe20279ca6e2fa7a6beefc96ade2f6f6077e7b30c04708825c26b08846c5ea9035c673417c8accf6fd685
-
Filesize
691KB
MD52ad1524a0b7dfcfba19aebbeb2053452
SHA1bf648028075680e05a9c3134c0956b0a197c3716
SHA25626db94eed386180d9c4111f8786f80511c081d1e38ad9cc56ae24aab2995bee8
SHA51249b715bdf429f6d514e3409f53abfcaf471f151ccc88602ebe9e6b5be5768c2baa96e98435ec0e2c0748fe1a31082a5c517c800a2ea0c1ac36c6e91ce1ba3c2d
-
Filesize
581KB
MD52d6935a7f371d71fa68d083ad4fdb323
SHA161298e0f47251ffb2462d436433492cd879ad0ad
SHA256f7ac4d3d2396f102a555c37bf28dc8ca480152b9f514b922ac0743c67b6918ed
SHA512c9e3da175bfc94e5ce49afb5209bdfa9dc0fde3424be76a22d12d52d68346da9089a476a7fbbe8b858fc6801bb93b70582310ef674bfc1fcc32ea9e3f24ad7a1
-
Filesize
1.2MB
MD5448488be326076e2d0030ef108d7f981
SHA1f05eeef6f2491f7239da38b449f58c424df0068a
SHA256a438d216d41e9bb9cfc8ec722254a7ec559a5234abd1f8c37df2cf31840f7d80
SHA512b64a19df33d6934a9ff75d800e2c07478802223e47bd11ecf40e27a66c8581a51d77b1519cce6a453f1caef95b64036f65d5c465e211ba12fdb51e3fa708bc10
-
Filesize
691KB
MD5705029dd91dfec15b2874a62dc7afdd4
SHA19cf365986761f37f74b7bd3c8f1932b3af994bb6
SHA2567a38e8b5f26e94f73167e66f53bf2f5af75155a0099b7884ef2edc564fba7700
SHA512b94dad0d6b5e90ed4631cf76e59c235698c40eb6571cd4cf5fea19f118b3190a9c5da4754e1c5c3d364bdcfd9df3f696726082a55c414eada2dd0b4672268a7e