Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Resource
win7-20241010-en
General
-
Target
2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
-
Size
5.0MB
-
MD5
a709d7df28f649a44714d72be0a82062
-
SHA1
e22bca2840cae46ef9bb615c1be931e531df9f54
-
SHA256
c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f
-
SHA512
7961125036699f546edde26f5c6a645a3a2bf01858c6dd72645dbcd687f833650bef854c59a403d14d43698a730523b145830c6ffafff650f9e4a00c9369a0bd
-
SSDEEP
24576:rbLgddQhfdmMSirYbcMNgef0N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rnAQqMSPbcBVNLNiXicJFFRGNzj3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 64 IoCs
pid Process 460 Process not Found 584 alg.exe 2960 aspnet_state.exe 2272 tasksche.exe 1316 mscorsvw.exe 2276 mscorsvw.exe 980 mscorsvw.exe 520 mscorsvw.exe 560 ehRecvr.exe 1208 ehsched.exe 576 elevation_service.exe 2364 IEEtwCollector.exe 3060 GROOVE.EXE 2784 maintenanceservice.exe 1408 msdtc.exe 2740 mscorsvw.exe 696 msiexec.exe 1572 OSE.EXE 2780 perfhost.exe 1592 locator.exe 3048 mscorsvw.exe 2908 snmptrap.exe 1304 vds.exe 608 vssvc.exe 912 mscorsvw.exe 2300 wbengine.exe 2072 WmiApSrv.exe 2184 wmpnetwk.exe 432 mscorsvw.exe 2428 SearchIndexer.exe 2144 mscorsvw.exe 1740 mscorsvw.exe 2560 mscorsvw.exe 1492 mscorsvw.exe 836 mscorsvw.exe 1236 mscorsvw.exe 2456 mscorsvw.exe 2284 mscorsvw.exe 2056 mscorsvw.exe 2108 mscorsvw.exe 2240 mscorsvw.exe 2136 mscorsvw.exe 1108 mscorsvw.exe 1956 mscorsvw.exe 2580 mscorsvw.exe 2916 mscorsvw.exe 2444 mscorsvw.exe 432 mscorsvw.exe 2104 mscorsvw.exe 1236 mscorsvw.exe 2052 mscorsvw.exe 3020 mscorsvw.exe 2904 mscorsvw.exe 1512 mscorsvw.exe 888 mscorsvw.exe 2272 mscorsvw.exe 2992 mscorsvw.exe 1236 mscorsvw.exe 2112 mscorsvw.exe 1080 mscorsvw.exe 3000 mscorsvw.exe 2572 mscorsvw.exe 1164 mscorsvw.exe 2848 mscorsvw.exe -
Loads dropped DLL 54 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 696 msiexec.exe 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 748 Process not Found 2272 mscorsvw.exe 2272 mscorsvw.exe 1236 mscorsvw.exe 1236 mscorsvw.exe 1080 mscorsvw.exe 1080 mscorsvw.exe 2572 mscorsvw.exe 2572 mscorsvw.exe 2848 mscorsvw.exe 2848 mscorsvw.exe 2992 mscorsvw.exe 2992 mscorsvw.exe 888 mscorsvw.exe 888 mscorsvw.exe 2112 mscorsvw.exe 2112 mscorsvw.exe 1492 mscorsvw.exe 1492 mscorsvw.exe 1792 mscorsvw.exe 1792 mscorsvw.exe 1320 mscorsvw.exe 1320 mscorsvw.exe 2272 mscorsvw.exe 2272 mscorsvw.exe 912 mscorsvw.exe 912 mscorsvw.exe 1360 mscorsvw.exe 1360 mscorsvw.exe 2952 mscorsvw.exe 2952 mscorsvw.exe 2868 mscorsvw.exe 2868 mscorsvw.exe 2544 mscorsvw.exe 2544 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 2572 mscorsvw.exe 2572 mscorsvw.exe 3020 mscorsvw.exe 3020 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\30f2957d5f6c6349.bin aspnet_state.exe File opened for modification C:\Windows\system32\dllhost.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe aspnet_state.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E3B.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7262.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP9463.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP76D5.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030d7677dd85ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009015fc77d85ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428} 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mycomput.dll,-300 = "Computer Management" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadDecisionTime = f0b97a5ed85ddb01 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2288 ehRec.exe 2960 aspnet_state.exe 2960 aspnet_state.exe 2960 aspnet_state.exe 2960 aspnet_state.exe 2960 aspnet_state.exe 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1740 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Token: SeTakeOwnershipPrivilege 2960 aspnet_state.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: 33 2704 EhTray.exe Token: SeIncBasePriorityPrivilege 2704 EhTray.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeDebugPrivilege 2288 ehRec.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeSecurityPrivilege 696 msiexec.exe Token: 33 2704 EhTray.exe Token: SeIncBasePriorityPrivilege 2704 EhTray.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeBackupPrivilege 608 vssvc.exe Token: SeRestorePrivilege 608 vssvc.exe Token: SeAuditPrivilege 608 vssvc.exe Token: SeBackupPrivilege 2300 wbengine.exe Token: SeRestorePrivilege 2300 wbengine.exe Token: SeSecurityPrivilege 2300 wbengine.exe Token: SeManageVolumePrivilege 2428 SearchIndexer.exe Token: 33 2184 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2184 wmpnetwk.exe Token: 33 2428 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2428 SearchIndexer.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeDebugPrivilege 2960 aspnet_state.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeDebugPrivilege 2976 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe Token: SeShutdownPrivilege 980 mscorsvw.exe Token: SeShutdownPrivilege 520 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2704 EhTray.exe 2704 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2704 EhTray.exe 2704 EhTray.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2572 SearchProtocolHost.exe 2572 SearchProtocolHost.exe 2572 SearchProtocolHost.exe 2572 SearchProtocolHost.exe 2572 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 1260 SearchProtocolHost.exe 2572 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 520 wrote to memory of 2740 520 mscorsvw.exe 47 PID 520 wrote to memory of 2740 520 mscorsvw.exe 47 PID 520 wrote to memory of 2740 520 mscorsvw.exe 47 PID 520 wrote to memory of 3048 520 mscorsvw.exe 52 PID 520 wrote to memory of 3048 520 mscorsvw.exe 52 PID 520 wrote to memory of 3048 520 mscorsvw.exe 52 PID 980 wrote to memory of 912 980 mscorsvw.exe 56 PID 980 wrote to memory of 912 980 mscorsvw.exe 56 PID 980 wrote to memory of 912 980 mscorsvw.exe 56 PID 980 wrote to memory of 912 980 mscorsvw.exe 56 PID 980 wrote to memory of 432 980 mscorsvw.exe 82 PID 980 wrote to memory of 432 980 mscorsvw.exe 82 PID 980 wrote to memory of 432 980 mscorsvw.exe 82 PID 980 wrote to memory of 432 980 mscorsvw.exe 82 PID 980 wrote to memory of 2144 980 mscorsvw.exe 62 PID 980 wrote to memory of 2144 980 mscorsvw.exe 62 PID 980 wrote to memory of 2144 980 mscorsvw.exe 62 PID 980 wrote to memory of 2144 980 mscorsvw.exe 62 PID 2428 wrote to memory of 2572 2428 SearchIndexer.exe 63 PID 2428 wrote to memory of 2572 2428 SearchIndexer.exe 63 PID 2428 wrote to memory of 2572 2428 SearchIndexer.exe 63 PID 2428 wrote to memory of 1660 2428 SearchIndexer.exe 64 PID 2428 wrote to memory of 1660 2428 SearchIndexer.exe 64 PID 2428 wrote to memory of 1660 2428 SearchIndexer.exe 64 PID 980 wrote to memory of 1740 980 mscorsvw.exe 65 PID 980 wrote to memory of 1740 980 mscorsvw.exe 65 PID 980 wrote to memory of 1740 980 mscorsvw.exe 65 PID 980 wrote to memory of 1740 980 mscorsvw.exe 65 PID 980 wrote to memory of 2560 980 mscorsvw.exe 66 PID 980 wrote to memory of 2560 980 mscorsvw.exe 66 PID 980 wrote to memory of 2560 980 mscorsvw.exe 66 PID 980 wrote to memory of 2560 980 mscorsvw.exe 66 PID 980 wrote to memory of 1492 980 mscorsvw.exe 67 PID 980 wrote to memory of 1492 980 mscorsvw.exe 67 PID 980 wrote to memory of 1492 980 mscorsvw.exe 67 PID 980 wrote to memory of 1492 980 mscorsvw.exe 67 PID 980 wrote to memory of 836 980 mscorsvw.exe 68 PID 980 wrote to memory of 836 980 mscorsvw.exe 68 PID 980 wrote to memory of 836 980 mscorsvw.exe 68 PID 980 wrote to memory of 836 980 mscorsvw.exe 68 PID 980 wrote to memory of 1236 980 mscorsvw.exe 84 PID 980 wrote to memory of 1236 980 mscorsvw.exe 84 PID 980 wrote to memory of 1236 980 mscorsvw.exe 84 PID 980 wrote to memory of 1236 980 mscorsvw.exe 84 PID 980 wrote to memory of 2456 980 mscorsvw.exe 70 PID 980 wrote to memory of 2456 980 mscorsvw.exe 70 PID 980 wrote to memory of 2456 980 mscorsvw.exe 70 PID 980 wrote to memory of 2456 980 mscorsvw.exe 70 PID 980 wrote to memory of 2284 980 mscorsvw.exe 71 PID 980 wrote to memory of 2284 980 mscorsvw.exe 71 PID 980 wrote to memory of 2284 980 mscorsvw.exe 71 PID 980 wrote to memory of 2284 980 mscorsvw.exe 71 PID 980 wrote to memory of 2056 980 mscorsvw.exe 72 PID 980 wrote to memory of 2056 980 mscorsvw.exe 72 PID 980 wrote to memory of 2056 980 mscorsvw.exe 72 PID 980 wrote to memory of 2056 980 mscorsvw.exe 72 PID 980 wrote to memory of 2108 980 mscorsvw.exe 73 PID 980 wrote to memory of 2108 980 mscorsvw.exe 73 PID 980 wrote to memory of 2108 980 mscorsvw.exe 73 PID 980 wrote to memory of 2108 980 mscorsvw.exe 73 PID 980 wrote to memory of 2240 980 mscorsvw.exe 74 PID 980 wrote to memory of 2240 980 mscorsvw.exe 74 PID 980 wrote to memory of 2240 980 mscorsvw.exe 74 PID 980 wrote to memory of 2240 980 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2272
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:584
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1316
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 24c -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 24c -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 23c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 268 -NGENProcess 248 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 24c -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 264 -NGENProcess 240 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 298 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 23c -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2a4 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 200 -NGENProcess 1e4 -Pipe 204 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:888
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1e4 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 260 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 248 -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 248 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 260 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1164
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 26c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 230 -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 294 -Pipe 26c -Comment "NGen Worker Process"2⤵PID:2548
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 200 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:888
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 288 -NGENProcess 290 -Pipe 230 -Comment "NGen Worker Process"2⤵PID:1688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 294 -NGENProcess 200 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:2840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1492
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 290 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:932
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2ac -NGENProcess 200 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 200 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:3020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1320
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:900
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:2868
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 200 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:912
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:1968
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1360
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:2292
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:2952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 274 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e0 -NGENProcess 258 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 258 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1872
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2e8 -NGENProcess 274 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2092
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"2⤵PID:2040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2e4 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e4 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:2648
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 304 -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 30c -NGENProcess 258 -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 308 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:1360
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 258 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:1084
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:1108
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2e4 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:1204
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 258 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2172
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:2140
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e4 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2148
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 258 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:276
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2040
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2880
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 258 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e4 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:2176
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 33c -NGENProcess 348 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 334 -NGENProcess 2e4 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 34c -NGENProcess 344 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:2952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 348 -Pipe 1a8 -Comment "NGen Worker Process"2⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e4 -Pipe 258 -Comment "NGen Worker Process"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:1768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2e4 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 2e4 -NGENProcess 358 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1792
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 368 -NGENProcess 348 -Pipe 350 -Comment "NGen Worker Process"2⤵PID:2512
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 364 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 358 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 348 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 364 -Pipe 360 -Comment "NGen Worker Process"2⤵PID:2792
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:560
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:576
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2364
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3060
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2784
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:696
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2780
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1592
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2908
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1304
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3692679935-4019334568-335155002-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1660
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a85c0c7e0be6a91b5fa0d5ae11b4cd16
SHA10dc88aae776fe01d102f7d9ae14d24d84169dcb2
SHA2565b40ba0385bfcdf34765256fe0cb19261afd4111d437998c7a6fcddab307a29b
SHA512493e35d80a2a7a49b544d0d37aa91d26c86e702b7df8f3887d13f52ad48275cbed448bef4f40b1d60e5f7dbd7c8e24ff8338944336791f2b1cea284a3be9b291
-
Filesize
30.1MB
MD508e50db5a83b52abfc4c4256076293d4
SHA151e2bbc0e1219f7fa6658c1a2eaff367ee0f0972
SHA25682ada8ff965003090a581e9ee813e9738c0ea18ef7414c7167629b913ffc4e4f
SHA51213bc3acb15e757a6badca38956d7347a327d776355a136e5d6fd142f80331eda8ff1038136f226e6775bfadc93c340ac687fcd7300f58e796ccb5bbdff9f95c7
-
Filesize
1.4MB
MD55963bbabaa00d638a3e928e5579e449a
SHA1b3c2aa6e6b987efeea10ceaf5d9380a0a1aaaa8a
SHA2568170f6b0245767e99519321144a3b8eebecef35a1bd8ef1443023b98338a8496
SHA5123ab492e95258a3cb1d184a2cc7bf7feee1518d11184d2d551544d1261ddf94d2deef9ccfade38fa4b15f2c4b5739748ddf0fdfaecbbf1f8ea0367c2145266399
-
Filesize
2.1MB
MD5cc6b38c0bce3e5a4beb3c2ca6214827c
SHA1a3456174d94cc89b00c6afc7a7336d971eed1da4
SHA2566ee26f860a30ee309ac127322dfdeeb346598271102d65e8dcf43ae6fb4121de
SHA5122133677882ab773a1dfea8a75228645c61e0ee2b7df5bc01ee8643ff6f0a55c9059f6763a3f93f3e70eb9977d6f709388cb8722acc7c65ff3f644209465ea551
-
Filesize
2.0MB
MD51962ad8d277bd6565faae3c7efd31688
SHA18c7a06af42b2f85d450723321c928e815a820729
SHA256217255b751cc9b822037598e5229a2ca5f11fa5bb421b429c4b2ca0a14f00c2b
SHA5129adb3b0fece63c3aa58616f04390adb8ddbd4c6fbd8551d61b1644fe17402ef25fc66994737d26c15bb1d8b8fdd700af94e8a1aeed03040ac13c86a279fb156e
-
Filesize
1024KB
MD551da34a4f22540e7676f7e66bbb3d544
SHA1963a8594079797affc9f8761097d2923fbdaaa79
SHA2569f28ece875b6bbe68f45aa53fc6d82f4891ba8112988e67c9d09c564ff6fced6
SHA51233cc454adcbf59703a93e68a0523ff49a6e5dea120cfb16f4e5b74417b0bff426e8cf6c6adca7cc92c2a7f65ce626e7eece84b8f3f5c4199afce2a7a6c6f524f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5a93108672043a5b478741734db687418
SHA18ead5a00f0b9e884a55e36359c9d00e1bcd954fd
SHA256137c074e77fcb4113b407a4871338d4c637bd610c10ccabda9c80f1b7453d430
SHA512ee1e924081325b79d5fe48412e74606552431e77b13dae68b1d8d430d58b3ed824020e977e5a953ccfd6b47c03a1713a91c10374b33d456b360fca4962ce1232
-
Filesize
872KB
MD5fa247235ebc2269080928a1e9c12e4be
SHA1abae1a849d0c16c0287c1c847529f7aab39cb1ea
SHA256b83d6b9d6f97a1a257a654ee53b60db46e71a29ba3f814315f80fd7f954ff16b
SHA51242b28cfd7f076aef21ea122df8cea2b6d475dbdf339f8f858c1d9cc0698447a5702d6916dc8b6411e25895fa090b3d9ba61c4cd7fc88cbfcf4aa2bc30844e0fc
-
Filesize
1.3MB
MD521b8951903185cd8c8d23dae8728cad9
SHA1000f74796cc06c5742a8f86dcc37213f243d1a67
SHA256c046883c856732be842626b8a771d13aadec9926786b73b7c911c1f96ea529a6
SHA512316c71f42a0c3b4784cff3db1484e353b806839e1d84147b66b9d2cfa7a599900a9c2ce99e38dd9533794927e3ef6c02c1589add13385f30e48e1f6305128177
-
Filesize
8KB
MD552863b738fbf98572c843514c135688c
SHA187be419bd95ec3ef8d46e12545d64a2de37144dc
SHA256c4a445b28896ee58f694641650c4fc2dca3109878c181f13e2c33904c1bdaa7a
SHA512b73ba6bd35ae2e210910a7e34d6a7b89bd02f041d14c2f9128bfbff8cc70689d0c5c2a64752358424699377b807c1c09fbcbd623583b0a4de4124cc4bfeea2bb
-
Filesize
1.3MB
MD5d5ac962ba4196f2fa94b61a06b51dc09
SHA1479cb3a8c6999ea73bc40d54442170335d9af5d0
SHA2566bacd7269a4c1be9b1026f5f73fc8e0489c86b8fcdb746422a3af980d955ae2f
SHA51266f471cd41f6c5c14ff062bb1b2fe81cd6f082c6303219d07033268c468361f1b8418a6e54fe38916386371d4624dd692e88099d89e088dc7363f83032df32e3
-
Filesize
1003KB
MD581da681f8aa2f4f2117c2f549c798de2
SHA1616c7e4498167debcea7bc18beddb05af7952deb
SHA2561d800d4531712c2692e097b819c45a6a91b3f4f4123f48fdf543ffb65328e84a
SHA5123ae0dd0297d01a0d7134560755fb8daf1408c813fa374fbd33f6e22b1b11ca160b9643b4b7a7831099ea43a0d62d675082e934fcac7740cdad2f30fb54edb6e0
-
Filesize
1.3MB
MD581383d2d818aab7f9981b9fd655239b2
SHA1c6adaea0b5e3aac43284df4841f939f7ff9122db
SHA256bad288816e7c1ae5acde13a25fa5a6ddb4ff5de66b4919ab8c4554724a79628d
SHA512c09a9e33842623f032508f1da6bf4bea95ae970395e5a287dfd9b333ca73577fef637714b4b79bc9bb44eb39f62176fa943703f129518415c986e600bc08c6c0
-
Filesize
1.2MB
MD55685572f39170768e79249436a26fcab
SHA12f16fd0cf22279c8980bd556016d63f1bd857f48
SHA256afd0602ea4f9e88cd481c80a513de4976f666dc4431b02da33dc3aeee6d2f91d
SHA512977ad2faa1431600d3719f5a3edf2d67e4e72d8ad090b1d7adf14ac8c10149aeb78d3b089123650d070994b79bcf76d5d2565cde3bff616de0b02dd8190c3a65
-
Filesize
1.2MB
MD5ae5adfa27d7d17293ddfa961eaddd28d
SHA1de2ec9626ce3ca29a3db0234962b464b347bee7c
SHA256d2c1ae5be8ca931a20317d69ea53ca7e82f72daaa49222b6c4f435d9b752fccd
SHA5126968b584d7181ec75099938e2ff422dd457416a74b8ca823e67be08269146460f72435880b7489b9e40a764d23d268225cb60b7136fbdf9c1967a17a249cd37d
-
Filesize
1.1MB
MD541d629d2f818f15448798347b54b3f92
SHA1eb37cdb9e769bec948b35733517ba7af8bf626dc
SHA25682a0bc98f466d9dc9564cded90c80eeb7cd63c88b30f41f0c748fe2c1249f2ae
SHA512c4aaf96ec89ae417b76e4a2b08ec7dc44217b57e4b8f43fbfd879afddb56894bd53d2a37817bad772e4d94d749d858daabaf18971762fbe8201fcca194656807
-
Filesize
2.1MB
MD5e7ebd6b078df3cd6e2917e43c9a1a980
SHA119c43a07b6c4faf98042f51faa4358058b096840
SHA256900b8e8f92ec9b1c504356f6f984ab227d240b7d6401d186356f896a8dfeec28
SHA5124c97cadf592a22baacd38d7d3babc659164b2da5d952f88f75fbadbc7e18bf94a6c7a3d02d83ddb5d9ad5f2999e15c93d732a78774731b4b72b0f3edfc69c485
-
Filesize
1.3MB
MD5ba53b10a57cd2dcf1cb5c6dd824f826b
SHA1845ecf55a92256b8041d154aec6827b9e0b486a5
SHA256f265c9e20796d0bef5bd787ac1b2d9842be66d9b913987556084071983aa3bea
SHA5122abbfa241aebf87faaf68b8679917cbf5053dd60df6ff6154f133c535fb6b536921133e732e90083e89c689e9beecccb606e1647c6fa2e364d2d9cf704330883
-
Filesize
1.2MB
MD563971469e7c0ba38b250ce1dbd5f2b49
SHA112def4e358c68207947bd0e99c805b378d975c2c
SHA25683f8d3efdbd0ba13edb3a6557c90c701218120d4aff1510cb38747f1f44531b1
SHA512bc87566a375cc448c9dc2a971484682e60420ddbf3be3edab01bdd7630f5900a97dd9b3ff752a8afca9b4e123d2fa21c1b0149db0167328fe2651e275671221f
-
Filesize
1.7MB
MD5673781233b21a2793db5b08f94db78f4
SHA1298d2206834f065c25261aabf79d43ccd39cf006
SHA256d291503e6e066bbe70869c7bbfd457df200ed4b04f9ffff27acb0c033f29baa0
SHA5123b39a7ad9e249fa37a09268c2ca060f9bd8b1abeb67301523ee4615fc4dc0b14be85f0b733d60d93c508f7306dc7cde7e558bc66fc3d75fa9e58ead5f1dd51ae
-
Filesize
1.4MB
MD5e0e3a3b3a9a5ecd7992fa2a38ee9b32a
SHA1e32dfb42d8fb9d6742ad305af447fd0773224df7
SHA2565adf6524a84ef9cec87ecfca2a84539f51818f0ba7c4125f69dd4f55b4f3d1f8
SHA5126c6043085a4edc537f594052ed950f4022fe1782fad813c23394ba2c98e7387119a7d552ba50fac21855903e4b0c85120aaed84dc4c6099670ac4b6f357498fb
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize105KB
MD5d9c0055c0c93a681947027f5282d5dcd
SHA19bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA5125404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4305de9742a40d9395fa1659df9c3f00\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD5aa752831fdf76915a0bfcffb81dfc223
SHA146e734776cad3fe37b3d4217218c0f504b143e97
SHA2563f4ecf96e0e4a582045acfa5d6d95e5dc8b8b621f684a5aeee945cca1fd30aeb
SHA5125b7238662eded7bc8b43725bc4154ee3cc4b9228ebe6c77984bf93fe0e669b7688edad03cb735710b846ce95d4eaca7b9227dd197671b263255f31d8f52af5ac
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\952ede05f03f8e49e4c4acd4a8064c3f\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD5fd49f76f160b520a0b0c23cccd734643
SHA19d20f4ed1ffe27fe76e2b2328e3aa213bbdbc4f7
SHA2569265926395c7e5bf87059501a2268c94bd566129e4d9bb361745dbf5eb7d2acf
SHA512767b072bb4f52e47522f855238541598e56f3e819ec5852f3bbe092c00747fa6823d113e84716e6ffad88b55f5ae2715446359aab158693ec32ac01070b03bed
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\956c6aa7bc2c755a222fa812b31923a2\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD50a568b577127f2b5e4657413f9b60f2d
SHA107b991d7e593c12641a87b44e0f0239397d81538
SHA2564347d4ad99abe4753a546fe78183ee75bf602790a3e0e4ab12a32ad8b482ffad
SHA512c86e948917e0cad3d3db485f32d3945ad4c1e74d097712a6919c87c8ead544961e59e76c2f1b39ad3d87bb0a60a90f56aaffa495c3c17b3f73d6a099a392ba2e
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9900a3dfba598a4745de9b1a0be6dc9b\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD5123d41de2fb2da87b73e482ae3faf858
SHA16542bf4cce5cd2cb350035de6d641ed209fa74ab
SHA256ec3215639346b143e06d36596d5dfef97ba96d01a66f5431c7d33b3c91804ccc
SHA512a0893ade30ccfd658f07326431db460703361d4f07f5af767f4fc51af7ec1ec8607285cf15550ea683cd64c94b8727d143774af0d959207c0f2b3a523196df5e
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
3.4MB
MD5a376b33169cb2bd169e62a4893d5daeb
SHA1eaeeca0604fda0f3b45bf83d6a630402ccbe1a2d
SHA256dbbdfc40f2228e5b1a42bc35ec6e270c927c62c129279c31710daeeb83668940
SHA5123619c4fbd194711c7f2436ca8084416ac9bf8370eb7dfad32144ec18d44d85787fd2135538fe59141dad89e5175bf673cc89962d98515ee844a56fc36aa963ac
-
Filesize
1.3MB
MD529402e7909d194e2342b8f327dba20c0
SHA19454c3fb64072482b40b7329d09803ec9c85e6b9
SHA2567475d664a3e9c5c2cdb9e95917f5e0e211f8f4e8f3bc8536ab5b96de1b44dad8
SHA512de7668bf300829a6ff4d3453a041d23ee4212514ca7e786b7e83900c1c6bc7f0fb632cd6941b28f27c92a45b1353a6bbc9f353e9b957323e2d2a48afe2577788
-
Filesize
1.3MB
MD5849820a9cc65a80892e4f4dfc64ed263
SHA1c8e58a59557523445dde952f04c075c2d52dca7c
SHA256b4c83d12b48b49b5b7900490fbaa2657cba6e5e4a8e1384e726a002156c0093a
SHA512156e0f0fbcd99b20423237c1372acab4363d024030fcd4447c299813d01fe7a6fece212aea4f24e052530d498388b64fdcaab52efb508860bd6749d9925f106f
-
Filesize
1.4MB
MD510bb263966381c920b04c8dd3dcee17b
SHA19ff30d8dc83b74ecaa9ee18b388f02776a87d331
SHA2569b92582a24be3d97257e95f5d651fdf7ce506f816cad85dbbc45b5bceb38e143
SHA5121556e8e8ed1ee122217562a0a9a4bc392fb67daa705103e184cf070c6a69530fe579cbe7ea4dbafccaff6918b59090794e7f43d9aff2f4bf6a19e5d0d1473e43
-
Filesize
1.3MB
MD5cc1accaa6a30b63844deac41b18ef556
SHA17f0f11eed5d5a7d1a02943778d76772a8824f538
SHA2560a5283afbfc85fc1c7b3c5d24f8c8f7477d29fa50242fd8944e2be2059a7221f
SHA5124bfa4222f2c866b8f9c22e7780b4e421db145e1e66bea541c10c841bb234086c5fecb373bf1676de80604977121827dc7e49c9ff5161a9a34855511fb5341d36
-
Filesize
2.0MB
MD5d99bca33133424c92cdc5ee1afbe5bbc
SHA16b6888c07e79f8c5e8d6606f42023b115c36e4ed
SHA256b6e809f3c95ff01c198e1fb53047875f2e67c8c5b938c6bee237ea6dab5f406c
SHA512f3f2081d49cd13db2b2a62783ed0aef10fa6eb7fbfc89449f1192f3328b5deb497b7bf0ce4419830cf8c15a6bbac25512ed7a7214050e3e8c3af1cfa7aa96bcf
-
Filesize
1.2MB
MD56f352347f93b21b5145f981c3aacf4e3
SHA145a05779a0965b9a7edeb96f185da21fcbadd636
SHA25631b7d5a6c12b191433946404e23f8ad5c4c6d5dd7684be26960812fbe68e7cf6
SHA512a39b671daf34be11ca2606a946e86bbe8394676356a487e38abda8e61dfaed204d4a1f5f4a578d7c9a3168116d784a36a3b40394f57cd2a1c4bd13b11aee927b
-
Filesize
1.3MB
MD55d691c0db033d08e9fbeaabf32557bcc
SHA1940f3b1901428514722207c14bd7a7defe3b23e7
SHA256489a2415c457bbc209ab4bf17e568a9e76538e4d1ea14dca40ee461ad82bb6e5
SHA51247dc7d01ab47743844d4ecebff4880afc4d8a7b6d7706cced2af5b3dd7654057fb00ee828f328f7c6b6ae8745deda43fd74d010b23e3b9d73db3690faeaaf44e