Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe
Resource
win10v2004-20241007-en
General
-
Target
48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe
-
Size
1.3MB
-
MD5
5ba86d001b2781c621ceea4a6bd19420
-
SHA1
e062183b0600fd3ff50f9f129f0a5e5c417d96ef
-
SHA256
48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da
-
SHA512
84aaffcb451cbdbd58a0202aadfb304787fa3ca2360e033a00700bd3e7d320ee393d7e3b6b143913ef4b98e02fce4b5260dde3712b4315f44b409b895e4f9381
-
SSDEEP
24576:rIXgCWSpRy4dSJVDsVu5unzqWvX1DEQkbvK8N3t3QVkLhoo+SVfhl2/:6WSjLSJlsQuzqW/1DErvL73RLSo+2fhl
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 464 Process not Found 596 alg.exe 2864 aspnet_state.exe 3044 mscorsvw.exe 2680 mscorsvw.exe 1144 mscorsvw.exe 2524 mscorsvw.exe 2096 ehRecvr.exe 1900 ehsched.exe 1660 elevation_service.exe 1680 GROOVE.EXE 2948 maintenanceservice.exe 2440 OSE.EXE 2900 mscorsvw.exe 2184 mscorsvw.exe 1828 mscorsvw.exe 2364 mscorsvw.exe 2544 mscorsvw.exe 2720 mscorsvw.exe 2372 mscorsvw.exe 2068 mscorsvw.exe 2916 mscorsvw.exe 2504 mscorsvw.exe 1152 mscorsvw.exe 1564 mscorsvw.exe 876 mscorsvw.exe 1608 mscorsvw.exe 2192 mscorsvw.exe 908 mscorsvw.exe 2792 mscorsvw.exe 1364 mscorsvw.exe 2144 mscorsvw.exe 2632 mscorsvw.exe 1552 mscorsvw.exe 2312 mscorsvw.exe 1152 mscorsvw.exe 1628 mscorsvw.exe 2704 mscorsvw.exe 1804 mscorsvw.exe 972 mscorsvw.exe 1488 mscorsvw.exe 1160 mscorsvw.exe 2036 mscorsvw.exe 2072 mscorsvw.exe 1224 mscorsvw.exe 2928 mscorsvw.exe 1652 mscorsvw.exe 1100 mscorsvw.exe 2536 mscorsvw.exe 1168 mscorsvw.exe 2832 mscorsvw.exe 2900 mscorsvw.exe 2328 mscorsvw.exe 2884 mscorsvw.exe 568 mscorsvw.exe 2704 mscorsvw.exe 2072 mscorsvw.exe 2908 mscorsvw.exe 2296 mscorsvw.exe 3004 mscorsvw.exe 2968 mscorsvw.exe 1300 mscorsvw.exe 2732 mscorsvw.exe 1724 mscorsvw.exe -
Loads dropped DLL 42 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2036 mscorsvw.exe 2036 mscorsvw.exe 1224 mscorsvw.exe 1224 mscorsvw.exe 1652 mscorsvw.exe 1652 mscorsvw.exe 2536 mscorsvw.exe 2536 mscorsvw.exe 2832 mscorsvw.exe 2832 mscorsvw.exe 2328 mscorsvw.exe 2328 mscorsvw.exe 568 mscorsvw.exe 568 mscorsvw.exe 2072 mscorsvw.exe 2072 mscorsvw.exe 2296 mscorsvw.exe 2296 mscorsvw.exe 2968 mscorsvw.exe 2968 mscorsvw.exe 2732 mscorsvw.exe 2732 mscorsvw.exe 1532 mscorsvw.exe 1532 mscorsvw.exe 1568 mscorsvw.exe 1568 mscorsvw.exe 1668 mscorsvw.exe 1668 mscorsvw.exe 844 mscorsvw.exe 844 mscorsvw.exe 2428 mscorsvw.exe 2428 mscorsvw.exe 2476 mscorsvw.exe 2476 mscorsvw.exe 1648 mscorsvw.exe 1648 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5e7d07c95f6c6349.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File opened for modification C:\Windows\system32\fxssvc.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe mscorsvw.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe mscorsvw.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB9AE.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC4D5.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6D8.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1B9.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCFEC.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCDCA.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16DB.tmp\Microsoft.Office.Tools.Common.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAA53.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB70F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDCA9.tmp\ehiVidCtl.dll mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 916 ehRec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1832 48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: 33 2592 EhTray.exe Token: SeIncBasePriorityPrivilege 2592 EhTray.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeDebugPrivilege 916 ehRec.exe Token: 33 2592 EhTray.exe Token: SeIncBasePriorityPrivilege 2592 EhTray.exe Token: SeDebugPrivilege 596 alg.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeDebugPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe Token: SeShutdownPrivilege 2524 mscorsvw.exe Token: SeShutdownPrivilege 1144 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2592 EhTray.exe 2592 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2592 EhTray.exe 2592 EhTray.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2900 1144 mscorsvw.exe 45 PID 1144 wrote to memory of 2900 1144 mscorsvw.exe 45 PID 1144 wrote to memory of 2900 1144 mscorsvw.exe 45 PID 1144 wrote to memory of 2900 1144 mscorsvw.exe 45 PID 1144 wrote to memory of 2184 1144 mscorsvw.exe 46 PID 1144 wrote to memory of 2184 1144 mscorsvw.exe 46 PID 1144 wrote to memory of 2184 1144 mscorsvw.exe 46 PID 1144 wrote to memory of 2184 1144 mscorsvw.exe 46 PID 1144 wrote to memory of 1828 1144 mscorsvw.exe 47 PID 1144 wrote to memory of 1828 1144 mscorsvw.exe 47 PID 1144 wrote to memory of 1828 1144 mscorsvw.exe 47 PID 1144 wrote to memory of 1828 1144 mscorsvw.exe 47 PID 1144 wrote to memory of 2364 1144 mscorsvw.exe 48 PID 1144 wrote to memory of 2364 1144 mscorsvw.exe 48 PID 1144 wrote to memory of 2364 1144 mscorsvw.exe 48 PID 1144 wrote to memory of 2364 1144 mscorsvw.exe 48 PID 1144 wrote to memory of 2544 1144 mscorsvw.exe 49 PID 1144 wrote to memory of 2544 1144 mscorsvw.exe 49 PID 1144 wrote to memory of 2544 1144 mscorsvw.exe 49 PID 1144 wrote to memory of 2544 1144 mscorsvw.exe 49 PID 1144 wrote to memory of 2720 1144 mscorsvw.exe 50 PID 1144 wrote to memory of 2720 1144 mscorsvw.exe 50 PID 1144 wrote to memory of 2720 1144 mscorsvw.exe 50 PID 1144 wrote to memory of 2720 1144 mscorsvw.exe 50 PID 1144 wrote to memory of 2372 1144 mscorsvw.exe 51 PID 1144 wrote to memory of 2372 1144 mscorsvw.exe 51 PID 1144 wrote to memory of 2372 1144 mscorsvw.exe 51 PID 1144 wrote to memory of 2372 1144 mscorsvw.exe 51 PID 1144 wrote to memory of 2068 1144 mscorsvw.exe 52 PID 1144 wrote to memory of 2068 1144 mscorsvw.exe 52 PID 1144 wrote to memory of 2068 1144 mscorsvw.exe 52 PID 1144 wrote to memory of 2068 1144 mscorsvw.exe 52 PID 1144 wrote to memory of 2916 1144 mscorsvw.exe 53 PID 1144 wrote to memory of 2916 1144 mscorsvw.exe 53 PID 1144 wrote to memory of 2916 1144 mscorsvw.exe 53 PID 1144 wrote to memory of 2916 1144 mscorsvw.exe 53 PID 1144 wrote to memory of 2504 1144 mscorsvw.exe 54 PID 1144 wrote to memory of 2504 1144 mscorsvw.exe 54 PID 1144 wrote to memory of 2504 1144 mscorsvw.exe 54 PID 1144 wrote to memory of 2504 1144 mscorsvw.exe 54 PID 1144 wrote to memory of 1152 1144 mscorsvw.exe 67 PID 1144 wrote to memory of 1152 1144 mscorsvw.exe 67 PID 1144 wrote to memory of 1152 1144 mscorsvw.exe 67 PID 1144 wrote to memory of 1152 1144 mscorsvw.exe 67 PID 1144 wrote to memory of 1564 1144 mscorsvw.exe 56 PID 1144 wrote to memory of 1564 1144 mscorsvw.exe 56 PID 1144 wrote to memory of 1564 1144 mscorsvw.exe 56 PID 1144 wrote to memory of 1564 1144 mscorsvw.exe 56 PID 1144 wrote to memory of 876 1144 mscorsvw.exe 57 PID 1144 wrote to memory of 876 1144 mscorsvw.exe 57 PID 1144 wrote to memory of 876 1144 mscorsvw.exe 57 PID 1144 wrote to memory of 876 1144 mscorsvw.exe 57 PID 1144 wrote to memory of 1608 1144 mscorsvw.exe 58 PID 1144 wrote to memory of 1608 1144 mscorsvw.exe 58 PID 1144 wrote to memory of 1608 1144 mscorsvw.exe 58 PID 1144 wrote to memory of 1608 1144 mscorsvw.exe 58 PID 1144 wrote to memory of 2192 1144 mscorsvw.exe 59 PID 1144 wrote to memory of 2192 1144 mscorsvw.exe 59 PID 1144 wrote to memory of 2192 1144 mscorsvw.exe 59 PID 1144 wrote to memory of 2192 1144 mscorsvw.exe 59 PID 1144 wrote to memory of 908 1144 mscorsvw.exe 60 PID 1144 wrote to memory of 908 1144 mscorsvw.exe 60 PID 1144 wrote to memory of 908 1144 mscorsvw.exe 60 PID 1144 wrote to memory of 908 1144 mscorsvw.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe"C:\Users\Admin\AppData\Local\Temp\48c58bed930f741ef5306c0c396b62812f15785a41e3463bc4c723d7d1f6d8da.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:596
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2864
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3044
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 25c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 26c -NGENProcess 1f0 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1f0 -NGENProcess 244 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 280 -NGENProcess 278 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 284 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 244 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d4 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1d4 -NGENProcess 244 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 284 -NGENProcess 278 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 278 -NGENProcess 280 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 21c -NGENProcess 1d0 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2cc -NGENProcess 244 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 21c -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 2b8 -NGENProcess 2bc -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2bc -NGENProcess 2d4 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2b8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2bc -NGENProcess 2ec -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e0 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2b8 -NGENProcess 2d8 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2fc -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2e4 -NGENProcess 2ec -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d4 -NGENProcess 2ec -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 30c -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 304 -NGENProcess 2d4 -Pipe 308 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 314 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 300 -NGENProcess 30c -Pipe 310 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 324 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2d8 -NGENProcess 32c -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 318 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 328 -NGENProcess 334 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 31c -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 330 -NGENProcess 33c -Pipe 328 -Comment "NGen Worker Process"2⤵PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 314 -NGENProcess 30c -Pipe 320 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 30c -NGENProcess 338 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 344 -NGENProcess 33c -Pipe 324 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 33c -NGENProcess 314 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:3000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 34c -NGENProcess 338 -Pipe 330 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 344 -Pipe 348 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 354 -NGENProcess 314 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 314 -NGENProcess 34c -Pipe 350 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 35c -NGENProcess 344 -Pipe 33c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 35c -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 32c -NGENProcess 344 -Pipe 338 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 368 -NGENProcess 354 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 35c -Pipe 314 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 35c -NGENProcess 364 -Pipe 344 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 374 -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 370 -Pipe 32c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"2⤵PID:1520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 318 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 370 -Pipe 354 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 37c -NGENProcess 370 -Pipe 34c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 118 -Pipe 364 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 390 -NGENProcess 36c -Pipe 380 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 370 -Pipe 384 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 118 -Pipe 38c -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 36c -Pipe 11c -Comment "NGen Worker Process"2⤵PID:3028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 370 -Pipe 37c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 118 -Pipe 378 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 36c -Pipe 390 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3ac -NGENProcess 370 -Pipe 394 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 118 -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 36c -Pipe 39c -Comment "NGen Worker Process"2⤵PID:436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 370 -Pipe 3a0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 118 -Pipe 3a4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3a8 -NGENProcess 118 -Pipe 3a0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 3c8 -NGENProcess 3bc -Pipe 388 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3a8 -NGENProcess 3d4 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a8 -Pipe 36c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2140
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3cc -Pipe 370 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 3c0 -Pipe 3b4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3a8 -Pipe 118 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1116
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3cc -Pipe 3c4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3c0 -Pipe 3d0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3a8 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3cc -Pipe 3d8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 3c0 -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3c0 -NGENProcess 3ec -Pipe 3a8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3fc -NGENProcess 3cc -Pipe 3e4 -Comment "NGen Worker Process"2⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f4 -NGENProcess 408 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3f0 -Comment "NGen Worker Process"2⤵PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3cc -NGENProcess 404 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 410 -NGENProcess 408 -Pipe 3e0 -Comment "NGen Worker Process"2⤵PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3e8 -NGENProcess 418 -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 418 -NGENProcess 40c -Pipe 408 -Comment "NGen Worker Process"2⤵PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 418 -NGENProcess 3e8 -Pipe 410 -Comment "NGen Worker Process"2⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 3ec -NGENProcess 40c -Pipe 3bc -Comment "NGen Worker Process"2⤵PID:2076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 424 -NGENProcess 3f4 -Pipe 404 -Comment "NGen Worker Process"2⤵PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 230 -NGENProcess 1ec -Pipe 25c -Comment "NGen Worker Process"2⤵PID:1184
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:2096
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2948
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f33901a13eea5d0ef9d02fa993a1eade
SHA18d93290e6acf65727aef285cbc9ba3ca9cc27f29
SHA256d6bf2e5de57687b46bb5d3b96ccb5bec7173afeb34e1cc2c1056f65774a71868
SHA51246b64f4122e60f2407a299c74ef38de364e183c3ec7d5558c165a00871014d5bfe19f571a410a2b63e316c11da3c504ef3202ca2d09517799900df16a3b55b53
-
Filesize
1.6MB
MD539b9d4a5b089dd4032f574dc73e0761d
SHA179b566649702b464aa1a8194e25e94009cf7526c
SHA2567bf4dc4eb6d7cd2cdede5331e621baf01f6790363bf4a580c96506fb9d8adbdf
SHA51299af81439cb82f5a766b246ca565b0219d1a7a7084086cab65037e861b973183c9be5cc4bed78c3911158af07ecb064eeb3c30157f7092e487fda65074bebec5
-
Filesize
1.3MB
MD53940f0e04a482a2ba9be7ff1f701043f
SHA19ce503af26da8359ab1a1376085081c720e7381a
SHA25646da80953cbedc1011ea7c0df008540ab4d4fced1a33cae421df21bc1cfd60fe
SHA5127590a9c7db054aab92505747bc58233f11131f2d9592a6f976e12ddc7d5da30e6a1fdd35158eb654664e6d3736dfe71349046e2460b5c8a23e02f01957bc9703
-
Filesize
1.6MB
MD53d2170d476b06e04f2b051475b3811a8
SHA138b2554a4011660336105a2e3d4af9236bc0917c
SHA256c7af33cfa05cbaca8fede9dc7dfcfa7e4090c3117f584c25a25c37cb5d468b7f
SHA51214ea76a12701c104f9d154dd887b85d8c0abdded4c9c81b698564c5e1e71db9f5e84dfae16b9b5d4210818060e3fe277ab988f32c9bb3c978ec69567daec7b5a
-
Filesize
1.3MB
MD5504791b3c9758284e017aacb5ada7bda
SHA149069fdd4d4acb5bc89a6e1570a2f93e52a4b21b
SHA2560f03c8d72925d9e76eaad89e57e02b0c4270e380002c88a00efd5e415aa9e234
SHA5126ba35abf79048d59f505464a82b6b6257494877fcc56cf192c2b7f944ff4da761f60363ddd33857eb74b18de4e84b81f54a549cef211677724cc2cd294262d7e
-
Filesize
30.1MB
MD5c5a946e6ed241217e6d147ca2c0b5611
SHA10767f8c8d86806948b878e8973d9af1f6378a1ac
SHA25670bf91b00231dfd87076b460677a5536cef6b91a596f269be23686ce8228fbd4
SHA512a9d8670eb84a20a0c0344297f87d7fe10666b0faec2058784afad757a7f098a69465e99aa2f1377c95bdab48175837feea6bde400f3f0119cda29d9b5738006d
-
Filesize
1.3MB
MD5dfb98f28aaef3c0cd005d69dca9a7a9a
SHA165f1eef4666d268543989f231d134ac40b6afc44
SHA25656c30127c54a6dd235531370ebdb0bc214b72b4f03bae66b74787129707f00d4
SHA512ad1f491a91ae05d439a1582fe49f1db3b46d2623b65880332da99422e62b33cd9b536abe3c3193f728c8f72976ec9f3ffb2e2263e6fe9b9d8d49b0a6e070d780
-
Filesize
1.7MB
MD5ac173669aab88c19a5093fb601cf80bd
SHA1766aa7c9e5b9055c85549e4d3fe6e601b181d0a5
SHA2566a644092a4e8698ab5f1fb3a7fa8fac980354c7aa926e68a30523f087d06cdec
SHA51234420ae9bdf6ad8aa858f6558fe63f596203e0bdc3888e8c88002a3dee3fdffec93955cb812def306653375f4e9d82aebaaa6b99a9e2860d3d48b42adc518a6e
-
Filesize
1.5MB
MD5aa44d08b729a500fb17ac08b383755e0
SHA1e12eadd874eed199fa1fcda5b19adf4808dccd3d
SHA2569b5849bb6e0d67c686a5f849dc5ae81816a25bcd7db329a94e860f2b930b6feb
SHA512e4672f12af2fae98f69cc9f4fcedff982630ce4e721f56109cf4f37276a110df002da3afbf07562c3c6d7bb020dc6738e912655b8a2f32b560c3c2ab4c4e4607
-
Filesize
1.2MB
MD516f274802595eeea69d133a0a284fcca
SHA1b8afc3e0515f20b6eef622808f2a099d6c177d30
SHA256bf027f0d09d3ae244a781c0596164f67371b422ef3ae63e8850f357f479a2378
SHA512eb5e4b633f74094327bb9b9f3bcbf9b3aac66d9380e9d31d83e86108cd68cb50eef12be93d774e10c506a3596200efa41bd0db398b252a6adb9ff97e541d7cdf
-
Filesize
1.1MB
MD5457c34b2996dd879b78afa68ced57179
SHA18d55cdfa29af8613fb48e69c8dd0095693a2a0e1
SHA2565dd85e181e07f65246e78268f5cc6160a476938a6f05321f2d37ee6176c4eeea
SHA5129893464c5cf97604f0fb9b104efffaa183bfcebc65d7aeb82406d9de13115306c911c43a297a9eb8814747722d524eee3a9dc3a21b13079cc95c2013fe42100e
-
Filesize
4.8MB
MD562843e33ca2704209a92da14581b8892
SHA15094c7e706ff1a14d98b3789350cd570d96a5dd3
SHA256a8c82b2e77f097e3fe7c88b79e3bfca8ad65b34cfafa8a34b8a716a251e9d5cd
SHA512c591e373a775da42a0889377a913c6309150eec69f4bbaef720d9c0b0da5c02c39f096889d534b75d87b2f0d8b3a13b2b9febcd7d9320ca5b3b413dbf9976cc4
-
Filesize
4.8MB
MD513a97e373ec7c6b0c1ce5e9728c67a7b
SHA15190c191930cd05d63cf0ea943712b3f4873252b
SHA256e86da2c09689b13de63b950bdf2b752f51e09d6a939af63311cce8a70c11b273
SHA5122e9ebc53d60e2ffe07a595be5ce049dd87f3667b6e787248f0f777440e56662c87b16ab7007df388de37c906b35c3361682ccf209ecc1aede83a449ab63ae654
-
Filesize
2.2MB
MD5e1bb0ad1f9a60114fd370db07ffbd675
SHA174e7b3f074e1bdd2c66b31456878d2dcde5240ec
SHA256eea6fa97892519c15bc5d45ff9f98beb8b8142f2a6d92fe0fd5f90eada1d6cc9
SHA512a96f9b59d7eecc6fa62f085dda8a68632c8f896156ab870fdf28ff6a0f13d32b661e64557bfa88341d14a614027ff5e197efc263673e38beea84d490cd5f1883
-
Filesize
2.1MB
MD5a8ea73745d534a41360bb791ae2ce26c
SHA1368a33aa9cb589d8b0bdf341b7803ceb792154e3
SHA25669c84c8994ddd2ec8f16cd5c17a1ad61f644d5a26d38d7795aa9cb61b651cd7a
SHA512eb1dfe8cad5bd4f4e2dc3f0d401aafb1d3ebf00be800561d2deeda243d0a77861cab4fa1d5663e6f0bd13a3bd7ec510b3e65a52c8c6f562ee5e01b87d49d0d5a
-
Filesize
1.8MB
MD52906ad3c6cddc8298ea6ebe89e3ac6e3
SHA138af1e57b5cacb279508f0814b7209da75a5e54b
SHA25677fc8c94d720b28d3f6a72edd8a5bfd14c218b4398b2f151d147bed44dfd9919
SHA512953920529bf3b4d61fde55d6d1a5799453d9b7374dddedc56726ee34237fa6e0a2c916a71913b07d270e3c06e9841aa1eb4781feadcba67f9e71ec227a1cb868
-
Filesize
1.5MB
MD55cbdf3bcc1ae7b7ab7b668cf3170a768
SHA142a079aa333c77638eb8259868737229ab8d1f81
SHA256336c7ad320a7412ffae049e1d746f28cb0f9e47a50617a991dddc241ae9ec266
SHA51246e74c6bda4bdc9caad166cb0eaa24f94a9416ef98cd9c2953345dfb632bf4132b083da7549fdb52f347bcc6bd646bc94a77dc3b872f880cf6060491ee3a2adc
-
Filesize
1.1MB
MD5585e770c5e4f2b3562dc0e5aa0621518
SHA1ece4bdbd1d5ccd01cd929296c0cf228592ac53b1
SHA2562820ea4bb964e8bbe0bfbadc1895933d94c10b542076f19cefb3efbcd7afa23e
SHA51297dd44527acba9e28429ddee0f1812187fc907ef13618de97c61e95ce9fa7521ca7f19b0fb8b0c099cc7bf0fb718a77d6cae822500e3e871b7b17b05ca55672c
-
Filesize
1KB
MD5f57856758a6897208acb0687fb6afb91
SHA1f57d577c794bbd00266a316e5d8dd7372ee6409b
SHA256a54f0c44f2a154341a1d7406b9cc04d99c8c7f7745395a342d4cc1711040beff
SHA51295fc3ac061deb90237bf9dadb1bbafec45e391034151cbd8e402ca79264dc5033354be9b88968934d8e0ce41d583bd80d3ad1bda812d72790db7931b58bff339
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.2MB
MD5cc14751cd7f1e2434fc06f4b60b7c962
SHA120bddfe459cb4327e1ef0fd6f926a94710bef26c
SHA256d0423571dd1650fc7fd92895cc0b61e4a8f04b1074e32f59e516a7c27e583bda
SHA512c1925f77d275a2b1e0659f2cbb6a60969eed150b0d6ac71ec7babcd8486e7953318eb9b5616fe83f0b4b3497636c0272d36dbabe9e1119f3d8c2118211095575
-
Filesize
872KB
MD542d36dcac5d48c60ffc09199adc70da3
SHA10e35c324cc29fff39d013da49fc91b49cf4d77db
SHA256146e01abaf6acdd86cba675060d3507d3b56ca4f4b91c86efcff12fbc8aa284a
SHA512c21aefec59d859532930987e1a0292cc416ac51d43a941ee495e98db040950cdf216c9566b68476d0751d058cac84127cd0794f2886dc21d8d3d50478fa3d100
-
Filesize
1.2MB
MD55808afd9269caf55711150b0c63e70dd
SHA1a4249c55d390c204fcbd3feac86a399d872558d4
SHA25638137d1099092a1aa30333034a148645f308d9d07117456d9ba3433b2032c85f
SHA51294f6dbff0f305afa9cdc731237e5103c9de56cf680733f1dd064ddfbc1f1b07bf45e127b3f432bc7edb4d0d5c887d5184ad10c455594f8c5490878fb4506e834
-
Filesize
1.2MB
MD5ca0b676922dbf362d5f4c58b0a66ef65
SHA14b5e1f48890c42c1c7e8780cba661f612f5453d1
SHA256b28f02bd505a4d964525ba46ffe2c8420023597d702c11f88d02394f51f35666
SHA51295f129b514bde4038f0d8d72201e6cce918cf5b56dcbba1b90a7f0ef2a0076610eb62785653874f395380d04e3b88dd89f68f2de0136922eca498e7532fe17a0
-
Filesize
1003KB
MD55f5a26a82f53d803a4b6155c17139783
SHA1a7e7f77c5b82ae4be25a6d71db56ea7138e7c80b
SHA256d77993be677198652da3f84653951635e09a3285c23dea839d903f79bb834e13
SHA512d5af3b819a24423a14d5fb485de64e1be63861ef2009b52328a655e6007323c7cf6c5fa5916e8d483c30169f853f21cbce3d92d05c150ee263bf5b2f54680d28
-
Filesize
1.2MB
MD54b1f5711a566b0210578921e3c91b18c
SHA15a968aea5fbd9a8708b7508683f17b41b9364a8b
SHA25604da44eb2c2d101d8f1af84475e8b136a736f75e0137db317120f2c572aa154c
SHA512ebf99bb61edf9af738ec2fdf2601d6796e6f3a63570bb0d68b42ff3f80574b77822c20c12a4b63fb14acb828cd5e527a4982497e79bba70184a8578817cfd695
-
Filesize
8KB
MD5a626ecd3081d61b130ab5397f01d51fe
SHA1e7b28fa4c482fa5fe523127903d48d5a52ef68ae
SHA256e8456c948417728632bf46dc2201c30f11b16e53c1378bbf5cceb918cd56d201
SHA512a023801c67c2b8e8e0b4044e8bfd460571f4ca8ade73c71fb10a1959ffd312fee152437c3b4aac83c675d291130e5b9c50e174ab3fe78f4905d17b74a32a4be1
-
Filesize
1.2MB
MD59ffa576adc230e18a12d844e57eaa8a0
SHA1a15aa80a37c8c70874eba210c9174cbbc261abda
SHA256d2e1b4153a7b811546d0c74c7f9847b4a14d0427791c8f4756bfd3d10592c34b
SHA512b2ff1270c298420c988e2f1c45105f17b962d37991faa9907bc8914768520e6c2ccc54a6bb698e96ec1d59dad2e08d1e15d42ee8e775f38aae65bb523ad76e1f
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0615c0d3665ab850106e8946d16b71c0\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD51bca5024d76f605c6c7edb13016e9def
SHA17d8d3d7088c6d8e40dd421ae626c619f93d070c3
SHA2566f00f7496ee4c331626be64776742586b3e06824c6b594afafae71ad1cccd4a8
SHA512b8d23c9eaf8e9c5ce377943fc40c2874c1788d2a6bea422c3a4bab1fa5b7a2199ccad4ddec2570dd23ed5f81c713699b0b55317e549bcde579a86e4c66d27371
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\06f6bf347e94652506b3e4296ed172c6\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD51938fdda79220993c3ad40c6a6d2ddb0
SHA1ad12c4fb5d2f2b5923ecad4ae7c939f81842fa36
SHA2566438f169f9902130899263dfb3fa2b7ad096f2040358aff71c728b1a02398655
SHA51245b44f4ceb525374f3ad63407ef44359cc650b269d395618cf3c063c1505f19ec4d8fe71839e9bdbcbcf64c1948da149d8d26594083f500dc96363ac7ad8e831
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b49d53ffb803fbdf31b39f4066bc9b58\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5cf86dbeb6248f6f70b40b8c4b5b5083f
SHA1284666edeb33d1bd4e89ff0fea01e07457c0e850
SHA25691bc6c2ae0507d9eee6558f8e59521f92270fbeab4f7b54c47a3ffa5c369cf8f
SHA512fc9902fa6d6790883e76b291eb893a8998dbdf3e482ec1aab1641c8f47158cfb7e2277a7cae627baa851124e8588fe271041de1c30599757364c47695a90f94c
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c9d6da50f18c69653d9fe2644691eb07\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD58695c0615dfc9ddc17aa1934842a06db
SHA1f70e276f24d77c266cd81514e6732bb2e7ed5221
SHA2563add408a91fab560978630292982e287633b9308fd7cf568cb7cc8f16bdc6a34
SHA5124dd7f4a09673a87e5046627aca8950e5ddd141632ec2a2f87b3acc6a1030725a512cb82cf74e9b05b394d2288f602c0079e02b0db1a5fb2af3939a7c862cc822
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
1.2MB
MD5bc129ddcb0c2d38872592df00871d2d8
SHA1266ef56b2b434ac2e5d0835343a31f12651e24ef
SHA2567745a2658783aecb0186e0e545cc521167a08a22d895bc409efebe55bd40a5c0
SHA5128bdcd59e504eada772a0242bc3687b090e399dcc223bb9c94b139d3a575c774f9593b97031d637cffce0adfa4fe226ed18ca21155bcdff0b7834f29b97f82984
-
Filesize
1.2MB
MD5d0c0b9ae66a8d52204dc1dcd44e5c80b
SHA1ca47c7aecacb1bebb239e8d62acc3325f22e35d7
SHA2567e4a5f67e98fbc73e2195b3758694b5952b27d7ce50fa2b313a10ea4f7828ee8
SHA512a85bd2c3b714e4469a6c81950340672968bab0cad7e9b92d7eb784b912579dfce439e70ced5ecbd58e225b05084889165a1175665bbc7cf60e11d759888a4add
-
Filesize
1.2MB
MD52273a2d4e79cf40e6fc1ddf8708e5cf3
SHA1cfbe2bf2d3bd9f01048d8add10aba7d53cd5c9b9
SHA2568947f7d890c910eb0a4764f651354fd2e7174147dfd6d61471076a2094e3acb4
SHA512c413f971e6dfb72fc995820689f980c872623bb6f64a3231652ab5fad02f57194298da08d98e6c52d88a8817abd06326380e475f4cdf49b9bf0f99b3e64c9f11
-
Filesize
1.3MB
MD529f30e21188d4383468b535bd8ca0fce
SHA10862e6e5b329a4f2a74683bce4444500962ce8a2
SHA2565dd2bbe3d2b761e91390d4c04c58776c505fc234070e507e02abbf14a5e55212
SHA5121dc191d5070dad4eb2f29d423578a6a45cce4a7b8d75a99fcc1ecb99dbfebdf663dfdb9a65c38665c61d14de57c4f41082482a43a55f1caac468d8a0a6035dc4