Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
Resource
win7-20240903-en
General
-
Target
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe
-
Size
1.2MB
-
MD5
62dfff176a11047abf58fb4d8bb0d8f0
-
SHA1
6bd017e4d99e2d772dc5b97903ca49f710b39245
-
SHA256
f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002a
-
SHA512
16572a589c51cd29ec4d2db2a743a4269d4bd30a36bc4c838835261ea44a0707024a6a24374c639fb5eaaa55f9d5110076963428ccb9ac22144411a1df4cd426
-
SSDEEP
12288:hqK7/txUVLDAptNyvUgXZ32dT4ePc7N29Cxs5+j2QNbxf53nHVoTOyEx:hptxLNyBo4kx929bL3Hnx
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 480 Process not Found 2652 alg.exe 2796 aspnet_state.exe 2596 mscorsvw.exe 2388 mscorsvw.exe 3012 mscorsvw.exe 2856 mscorsvw.exe 1844 ehRecvr.exe 2368 ehsched.exe 2504 elevation_service.exe 1840 IEEtwCollector.exe 1732 GROOVE.EXE 1704 maintenanceservice.exe 3000 msdtc.exe 872 msiexec.exe 2648 OSE.EXE 3052 perfhost.exe 3060 locator.exe 2992 snmptrap.exe 892 vds.exe 2108 vssvc.exe 1080 wbengine.exe 2476 WmiApSrv.exe 2424 mscorsvw.exe 2032 wmpnetwk.exe 3064 SearchIndexer.exe 2016 mscorsvw.exe 2208 mscorsvw.exe 2768 mscorsvw.exe 2028 mscorsvw.exe 1952 mscorsvw.exe 2524 mscorsvw.exe 2060 mscorsvw.exe 2568 mscorsvw.exe 2888 mscorsvw.exe 2328 mscorsvw.exe 1556 mscorsvw.exe 1484 mscorsvw.exe 824 mscorsvw.exe 1776 mscorsvw.exe 1444 mscorsvw.exe 2292 mscorsvw.exe 2396 mscorsvw.exe 1368 mscorsvw.exe 1244 mscorsvw.exe 2216 mscorsvw.exe 2520 mscorsvw.exe 2256 mscorsvw.exe 588 mscorsvw.exe 2792 mscorsvw.exe 1268 mscorsvw.exe 1336 mscorsvw.exe 748 mscorsvw.exe 3032 mscorsvw.exe 1320 mscorsvw.exe 1952 mscorsvw.exe 2184 mscorsvw.exe 2176 mscorsvw.exe 1556 mscorsvw.exe 348 mscorsvw.exe 2100 mscorsvw.exe 2152 mscorsvw.exe 1712 mscorsvw.exe 868 mscorsvw.exe -
Loads dropped DLL 64 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 872 msiexec.exe 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 760 Process not Found 1320 mscorsvw.exe 1320 mscorsvw.exe 2184 mscorsvw.exe 2184 mscorsvw.exe 1556 mscorsvw.exe 1556 mscorsvw.exe 2100 mscorsvw.exe 2100 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 1240 mscorsvw.exe 1240 mscorsvw.exe 2324 mscorsvw.exe 2324 mscorsvw.exe 2312 mscorsvw.exe 2312 mscorsvw.exe 2572 mscorsvw.exe 2572 mscorsvw.exe 2332 mscorsvw.exe 2332 mscorsvw.exe 1032 mscorsvw.exe 1032 mscorsvw.exe 332 mscorsvw.exe 332 mscorsvw.exe 2468 mscorsvw.exe 2468 mscorsvw.exe 1528 mscorsvw.exe 1528 mscorsvw.exe 1620 mscorsvw.exe 1620 mscorsvw.exe 2812 mscorsvw.exe 2812 mscorsvw.exe 2372 mscorsvw.exe 2372 mscorsvw.exe 448 mscorsvw.exe 448 mscorsvw.exe 1844 mscorsvw.exe 1844 mscorsvw.exe 1696 mscorsvw.exe 1696 mscorsvw.exe 2800 mscorsvw.exe 2800 mscorsvw.exe 2640 mscorsvw.exe 2640 mscorsvw.exe 2020 mscorsvw.exe 2020 mscorsvw.exe 1688 mscorsvw.exe 1688 mscorsvw.exe 604 mscorsvw.exe 604 mscorsvw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\msdtc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\SysWow64\perfhost.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\vds.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\vssvc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d29047dfcb22606b.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\System32\snmptrap.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\SearchIndexer.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\dllhost.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\locator.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP79F.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBA0C.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB6A.tmp\ehiVidCtl.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBEDC.tmp\Microsoft.Office.Tools.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC88.tmp\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index150.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14d.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2AF.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE8A.tmp\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC265.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index151.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBB63.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index152.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index14f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54E.tmp\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GROOVE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 816 ehRec.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: 33 2964 EhTray.exe Token: SeIncBasePriorityPrivilege 2964 EhTray.exe Token: SeDebugPrivilege 816 ehRec.exe Token: 33 2964 EhTray.exe Token: SeIncBasePriorityPrivilege 2964 EhTray.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeTakeOwnershipPrivilege 872 msiexec.exe Token: SeSecurityPrivilege 872 msiexec.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeBackupPrivilege 2108 vssvc.exe Token: SeRestorePrivilege 2108 vssvc.exe Token: SeAuditPrivilege 2108 vssvc.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeBackupPrivilege 1080 wbengine.exe Token: SeRestorePrivilege 1080 wbengine.exe Token: SeSecurityPrivilege 1080 wbengine.exe Token: SeManageVolumePrivilege 3064 SearchIndexer.exe Token: 33 3064 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3064 SearchIndexer.exe Token: 33 2032 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2032 wmpnetwk.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeDebugPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeDebugPrivilege 2392 f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeDebugPrivilege 2652 alg.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe Token: SeShutdownPrivilege 3012 mscorsvw.exe Token: SeShutdownPrivilege 2856 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2964 EhTray.exe 2964 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2964 EhTray.exe 2964 EhTray.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe 1692 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2424 3012 mscorsvw.exe 54 PID 3012 wrote to memory of 2424 3012 mscorsvw.exe 54 PID 3012 wrote to memory of 2424 3012 mscorsvw.exe 54 PID 3012 wrote to memory of 2424 3012 mscorsvw.exe 54 PID 3012 wrote to memory of 2016 3012 mscorsvw.exe 57 PID 3012 wrote to memory of 2016 3012 mscorsvw.exe 57 PID 3012 wrote to memory of 2016 3012 mscorsvw.exe 57 PID 3012 wrote to memory of 2016 3012 mscorsvw.exe 57 PID 3012 wrote to memory of 2208 3012 mscorsvw.exe 58 PID 3012 wrote to memory of 2208 3012 mscorsvw.exe 58 PID 3012 wrote to memory of 2208 3012 mscorsvw.exe 58 PID 3012 wrote to memory of 2208 3012 mscorsvw.exe 58 PID 3012 wrote to memory of 2768 3012 mscorsvw.exe 59 PID 3012 wrote to memory of 2768 3012 mscorsvw.exe 59 PID 3012 wrote to memory of 2768 3012 mscorsvw.exe 59 PID 3012 wrote to memory of 2768 3012 mscorsvw.exe 59 PID 3012 wrote to memory of 2028 3012 mscorsvw.exe 60 PID 3012 wrote to memory of 2028 3012 mscorsvw.exe 60 PID 3012 wrote to memory of 2028 3012 mscorsvw.exe 60 PID 3012 wrote to memory of 2028 3012 mscorsvw.exe 60 PID 3012 wrote to memory of 1952 3012 mscorsvw.exe 61 PID 3012 wrote to memory of 1952 3012 mscorsvw.exe 61 PID 3012 wrote to memory of 1952 3012 mscorsvw.exe 61 PID 3012 wrote to memory of 1952 3012 mscorsvw.exe 61 PID 3012 wrote to memory of 2524 3012 mscorsvw.exe 62 PID 3012 wrote to memory of 2524 3012 mscorsvw.exe 62 PID 3012 wrote to memory of 2524 3012 mscorsvw.exe 62 PID 3012 wrote to memory of 2524 3012 mscorsvw.exe 62 PID 3012 wrote to memory of 2060 3012 mscorsvw.exe 63 PID 3012 wrote to memory of 2060 3012 mscorsvw.exe 63 PID 3012 wrote to memory of 2060 3012 mscorsvw.exe 63 PID 3012 wrote to memory of 2060 3012 mscorsvw.exe 63 PID 3012 wrote to memory of 2568 3012 mscorsvw.exe 64 PID 3012 wrote to memory of 2568 3012 mscorsvw.exe 64 PID 3012 wrote to memory of 2568 3012 mscorsvw.exe 64 PID 3012 wrote to memory of 2568 3012 mscorsvw.exe 64 PID 3012 wrote to memory of 2888 3012 mscorsvw.exe 65 PID 3012 wrote to memory of 2888 3012 mscorsvw.exe 65 PID 3012 wrote to memory of 2888 3012 mscorsvw.exe 65 PID 3012 wrote to memory of 2888 3012 mscorsvw.exe 65 PID 3012 wrote to memory of 2328 3012 mscorsvw.exe 66 PID 3012 wrote to memory of 2328 3012 mscorsvw.exe 66 PID 3012 wrote to memory of 2328 3012 mscorsvw.exe 66 PID 3012 wrote to memory of 2328 3012 mscorsvw.exe 66 PID 3012 wrote to memory of 1556 3012 mscorsvw.exe 67 PID 3012 wrote to memory of 1556 3012 mscorsvw.exe 67 PID 3012 wrote to memory of 1556 3012 mscorsvw.exe 67 PID 3012 wrote to memory of 1556 3012 mscorsvw.exe 67 PID 3012 wrote to memory of 1484 3012 mscorsvw.exe 68 PID 3012 wrote to memory of 1484 3012 mscorsvw.exe 68 PID 3012 wrote to memory of 1484 3012 mscorsvw.exe 68 PID 3012 wrote to memory of 1484 3012 mscorsvw.exe 68 PID 3012 wrote to memory of 824 3012 mscorsvw.exe 69 PID 3012 wrote to memory of 824 3012 mscorsvw.exe 69 PID 3012 wrote to memory of 824 3012 mscorsvw.exe 69 PID 3012 wrote to memory of 824 3012 mscorsvw.exe 69 PID 3012 wrote to memory of 1776 3012 mscorsvw.exe 70 PID 3012 wrote to memory of 1776 3012 mscorsvw.exe 70 PID 3012 wrote to memory of 1776 3012 mscorsvw.exe 70 PID 3012 wrote to memory of 1776 3012 mscorsvw.exe 70 PID 3012 wrote to memory of 1444 3012 mscorsvw.exe 71 PID 3012 wrote to memory of 1444 3012 mscorsvw.exe 71 PID 3012 wrote to memory of 1444 3012 mscorsvw.exe 71 PID 3012 wrote to memory of 1444 3012 mscorsvw.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"C:\Users\Admin\AppData\Local\Temp\f749831a87bae7e9f456727421f090a72f29bbd037d07b61dbea1605b96a002aN.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2796
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2596
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 24c -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1dc -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1f4 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 1dc -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 274 -NGENProcess 1dc -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 250 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 284 -NGENProcess 238 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 274 -NGENProcess 28c -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 290 -NGENProcess 238 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 288 -NGENProcess 298 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 250 -NGENProcess 280 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 280 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1d8 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 1dc -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 218 -NGENProcess 294 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 1dc -NGENProcess 294 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2a8 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c8 -NGENProcess 218 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 260 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a4 -NGENProcess 218 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 218 -NGENProcess 260 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 288 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 298 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 288 -Pipe 1c8 -Comment "NGen Worker Process"2⤵PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"2⤵PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2b0 -NGENProcess 2bc -Pipe 294 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 218 -Pipe 2ac -Comment "NGen Worker Process"2⤵PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 270 -NGENProcess 2b0 -Pipe 260 -Comment "NGen Worker Process"2⤵PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c4 -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 2bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2b0 -NGENProcess 2d0 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 2d8 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 218 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2d8 -NGENProcess 2e0 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2ec -NGENProcess 2e4 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2e4 -NGENProcess 218 -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2fc -NGENProcess 218 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 218 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 218 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 31c -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 308 -NGENProcess 310 -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 324 -NGENProcess 314 -Pipe 2d0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 300 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 310 -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 314 -Pipe 218 -Comment "NGen Worker Process"2⤵PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 314 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 300 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 348 -NGENProcess 310 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 32c -NGENProcess 30c -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 34c -NGENProcess 334 -Pipe 330 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 310 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 334 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 348 -NGENProcess 120 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 300 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 32c -NGENProcess 35c -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 360 -NGENProcess 120 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 350 -Pipe 11c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 35c -Pipe 310 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 120 -Pipe 348 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 120 -NGENProcess 360 -Pipe 374 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 120 -NGENProcess 300 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 32c -NGENProcess 360 -Pipe 30c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 32c -NGENProcess 120 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 120 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 388 -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1356
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 120 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 32c -Pipe 35c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 378 -NGENProcess 32c -Pipe 350 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 32c -NGENProcess 398 -Pipe 394 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 3a4 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 39c -NGENProcess 378 -Pipe 3a0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3ac -NGENProcess 398 -Pipe 38c -Comment "NGen Worker Process"2⤵PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3b0 -NGENProcess 3a8 -Pipe 370 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 32c -NGENProcess 3a8 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3b0 -NGENProcess 3c0 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 120 -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 3b4 -NGENProcess 3c4 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 398 -NGENProcess 378 -Pipe 3b8 -Comment "NGen Worker Process"2⤵PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3cc -NGENProcess 3b0 -Pipe 32c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 3c4 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 378 -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b0 -Pipe 120 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b0 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3b4 -NGENProcess 3dc -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e4 -NGENProcess 3d4 -Pipe 3bc -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3cc -Pipe 3c4 -Comment "NGen Worker Process"2⤵PID:1112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"2⤵PID:476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d4 -Pipe 3d8 -Comment "NGen Worker Process"2⤵PID:332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f0 -NGENProcess 3ec -Pipe 3cc -Comment "NGen Worker Process"2⤵PID:1796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f8 -NGENProcess 3d4 -Pipe 3fc -Comment "NGen Worker Process"2⤵PID:1368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3b4 -NGENProcess 3b0 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 404 -NGENProcess 3ec -Pipe 3dc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3b4 -NGENProcess 40c -Pipe 3f8 -Comment "NGen Worker Process"2⤵PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3e4 -NGENProcess 3ec -Pipe 3f4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3ec -NGENProcess 3f0 -Pipe 408 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 414 -NGENProcess 40c -Pipe 3d4 -Comment "NGen Worker Process"2⤵PID:1664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 418 -NGENProcess 410 -Pipe 404 -Comment "NGen Worker Process"2⤵PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 3f0 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 420 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"2⤵PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3e8 -NGENProcess 3f0 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f0 -NGENProcess 3ec -Pipe 418 -Comment "NGen Worker Process"2⤵PID:2312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 42c -NGENProcess 414 -Pipe 424 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:2076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 414 -NGENProcess 3e8 -Pipe 428 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 434 -NGENProcess 3ec -Pipe 420 -Comment "NGen Worker Process"2⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 438 -NGENProcess 430 -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 43c -NGENProcess 3e8 -Pipe 3f0 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 3e8 -NGENProcess 434 -Pipe 3ec -Comment "NGen Worker Process"2⤵PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 444 -NGENProcess 430 -Pipe 42c -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:1240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 430 -NGENProcess 43c -Pipe 440 -Comment "NGen Worker Process"2⤵PID:1248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 44c -NGENProcess 434 -Pipe 438 -Comment "NGen Worker Process"2⤵PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 454 -NGENProcess 448 -Pipe 450 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 448 -NGENProcess 430 -Pipe 410 -Comment "NGen Worker Process"2⤵PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 430 -NGENProcess 448 -Pipe 458 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 448 -NGENProcess 444 -Pipe 40c -Comment "NGen Worker Process"2⤵PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 460 -NGENProcess 3e8 -Pipe 44c -Comment "NGen Worker Process"2⤵PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 464 -NGENProcess 45c -Pipe 43c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 468 -NGENProcess 444 -Pipe 454 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 46c -NGENProcess 3e8 -Pipe 414 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 468 -NGENProcess 45c -Pipe 460 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 430 -NGENProcess 470 -Pipe 448 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 474 -NGENProcess 3e8 -Pipe 47c -Comment "NGen Worker Process"2⤵PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 434 -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"2⤵PID:3032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 468 -NGENProcess 470 -Pipe 484 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 470 -NGENProcess 474 -Pipe 480 -Comment "NGen Worker Process"2⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 488 -NGENProcess 46c -Pipe 470 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 45c -NGENProcess 474 -Pipe 430 -Comment "NGen Worker Process"2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 488 -NGENProcess 468 -Pipe 478 -Comment "NGen Worker Process"2⤵PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 3e8 -NGENProcess 490 -Pipe 48c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 498 -NGENProcess 474 -Pipe 444 -Comment "NGen Worker Process"2⤵PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 49c -NGENProcess 468 -Pipe 434 -Comment "NGen Worker Process"2⤵PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 3e8 -NGENProcess 4a4 -Pipe 498 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 494 -NGENProcess 468 -Pipe 45c -Comment "NGen Worker Process"2⤵PID:1292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 494 -NGENProcess 3e8 -Pipe 474 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 4b0 -NGENProcess 468 -Pipe 4ac -Comment "NGen Worker Process"2⤵PID:2100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 468 -NGENProcess 46c -Pipe 4b4 -Comment "NGen Worker Process"2⤵PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 468 -InterruptEvent 49c -NGENProcess 488 -Pipe 4a4 -Comment "NGen Worker Process"2⤵PID:2956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4b0 -NGENProcess 4bc -Pipe 468 -Comment "NGen Worker Process"2⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4a0 -NGENProcess 488 -Pipe 4a8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b8 -NGENProcess 4c4 -Pipe 4b0 -Comment "NGen Worker Process"2⤵PID:1436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 3e8 -NGENProcess 488 -Pipe 490 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4c0 -NGENProcess 4cc -Pipe 4b8 -Comment "NGen Worker Process"2⤵PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 46c -NGENProcess 488 -Pipe 494 -Comment "NGen Worker Process"2⤵PID:1928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4d4 -NGENProcess 3e8 -Pipe 4d0 -Comment "NGen Worker Process"2⤵PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4bc -NGENProcess 4c4 -Pipe 4cc -Comment "NGen Worker Process"2⤵PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4bc -InterruptEvent 4d8 -NGENProcess 4a0 -Pipe 49c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4d4 -NGENProcess 4e0 -Pipe 4bc -Comment "NGen Worker Process"2⤵PID:2460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4c8 -NGENProcess 4a0 -Pipe 4c0 -Comment "NGen Worker Process"2⤵PID:2988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 4e4 -NGENProcess 4dc -Pipe 4c8 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 4ec -NGENProcess 4a0 -Pipe 488 -Comment "NGen Worker Process"2⤵PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 46c -NGENProcess 4e0 -Pipe 4d4 -Comment "NGen Worker Process"2⤵PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 4f0 -NGENProcess 4e8 -Pipe 4c4 -Comment "NGen Worker Process"2⤵PID:1120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4f8 -NGENProcess 4a0 -Pipe 4f4 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4fc -InterruptEvent 4f8 -NGENProcess 4f0 -Pipe 4dc -Comment "NGen Worker Process"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e0 -InterruptEvent 4f8 -NGENProcess 4a0 -Pipe 4fc -Comment "NGen Worker Process"2⤵PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 3e8 -NGENProcess 4f0 -Pipe 4e8 -Comment "NGen Worker Process"2⤵PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 504 -NGENProcess 4e4 -Pipe 46c -Comment "NGen Worker Process"2⤵PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 508 -NGENProcess 4ec -Pipe 488 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 508 -InterruptEvent 50c -NGENProcess 4f0 -Pipe 500 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 50c -InterruptEvent 510 -NGENProcess 4e4 -Pipe 4e0 -Comment "NGen Worker Process"2⤵PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 510 -InterruptEvent 514 -NGENProcess 4ec -Pipe 4f8 -Comment "NGen Worker Process"2⤵PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 514 -InterruptEvent 518 -NGENProcess 4f0 -Pipe 3e8 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 51c -NGENProcess 4e4 -Pipe 504 -Comment "NGen Worker Process"2⤵PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 51c -InterruptEvent 520 -NGENProcess 4ec -Pipe 508 -Comment "NGen Worker Process"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 524 -NGENProcess 4f0 -Pipe 50c -Comment "NGen Worker Process"2⤵PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 524 -InterruptEvent 528 -NGENProcess 4e4 -Pipe 510 -Comment "NGen Worker Process"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 528 -InterruptEvent 52c -NGENProcess 4ec -Pipe 514 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 530 -NGENProcess 4f0 -Pipe 518 -Comment "NGen Worker Process"2⤵PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 530 -InterruptEvent 534 -NGENProcess 4e4 -Pipe 51c -Comment "NGen Worker Process"2⤵PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 52c -NGENProcess 53c -Pipe 530 -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 52c -InterruptEvent 520 -NGENProcess 4e4 -Pipe 524 -Comment "NGen Worker Process"2⤵PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 540 -InterruptEvent 520 -NGENProcess 52c -Pipe 534 -Comment "NGen Worker Process"2⤵PID:2768
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 4a0 -NGENProcess 4e4 -Pipe 528 -Comment "NGen Worker Process"2⤵PID:2876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a0 -InterruptEvent 548 -NGENProcess 538 -Pipe 4f0 -Comment "NGen Worker Process"2⤵PID:2728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 52c -Pipe 544 -Comment "NGen Worker Process"2⤵PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 550 -NGENProcess 4e4 -Pipe 4ec -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 554 -NGENProcess 538 -Pipe 540 -Comment "NGen Worker Process"2⤵PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 554 -InterruptEvent 538 -NGENProcess 548 -Pipe 55c -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 538 -InterruptEvent 520 -NGENProcess 558 -Pipe 4a0 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 520 -InterruptEvent 560 -NGENProcess 550 -Pipe 53c -Comment "NGen Worker Process"2⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 564 -NGENProcess 548 -Pipe 52c -Comment "NGen Worker Process"2⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 564 -InterruptEvent 568 -NGENProcess 558 -Pipe 54c -Comment "NGen Worker Process"2⤵PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 568 -InterruptEvent 56c -NGENProcess 550 -Pipe 554 -Comment "NGen Worker Process"2⤵PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 56c -NGENProcess 568 -Pipe 548 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 56c -InterruptEvent 538 -NGENProcess 550 -Pipe 520 -Comment "NGen Worker Process"2⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 560 -InterruptEvent 578 -NGENProcess 570 -Pipe 538 -Comment "NGen Worker Process"2⤵PID:2936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 4e4 -NGENProcess 550 -Pipe 574 -Comment "NGen Worker Process"2⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 580 -NGENProcess 558 -Pipe 56c -Comment "NGen Worker Process"2⤵PID:1320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 580 -InterruptEvent 584 -NGENProcess 570 -Pipe 57c -Comment "NGen Worker Process"2⤵PID:1036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 584 -InterruptEvent 588 -NGENProcess 550 -Pipe 564 -Comment "NGen Worker Process"2⤵PID:1332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 558 -Pipe 560 -Comment "NGen Worker Process"2⤵PID:2728
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:588
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1844
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2504
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1840
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1732
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1704
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:872
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2648
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3052
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3060
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:892
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 5922⤵PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a1f45f0260c0001f967e62a3c05f1413
SHA1fe701b6bd860464e36dfabe5716fd1594d9c3e55
SHA256ff770b138e58cec0dccd63e8543fca4bedb579ec5041841c0ac441718801ac3f
SHA5122565a682313b572a543046364e4b5f8a1e3f79f4a66388f68db24debdf33890facd905d0b90b81f09099168ef1533800ac22b525489dcb728f85e18f4767db81
-
Filesize
30.1MB
MD5d0affe06b02b8ce700a3b19510c8d2fc
SHA162688140fd85951a727807787c6412911540498a
SHA25646baf24885a7256d3bcfbd60d5c93ddb82c14a38e05114835de9931051da91ae
SHA512fe32c43af98b7196daa93084d9d78daa88cb62f207535db79b7c202b862f2a3eb13341ad6b241f769cfc49d6ec86eae212d75a8f6ce27feda2cc363d4bc95826
-
Filesize
1.4MB
MD5298a04a8daad893aa7332a7f7fe0283a
SHA1555cb863e48719d327813e31685b3ce19fbfb9db
SHA256174548aaa9ac4e9a7280d579ba99ea402a1c99185de5f7bc2422e57fc9540997
SHA512e74724c3c53f67b1f8dfd0d81db928e9e92c82a4f28f0450a234b4117a75575210307a9b18f7ce1138efe016a830489a767ff6d4804002b7b07c543edc27c917
-
Filesize
2.1MB
MD54c18fbf435e3622a860be750b82caa34
SHA17ca4924b7dc059eedcac2fcfabb444c0134c371d
SHA2567edd44745fa3061e6196c94988f38bee2093f8c4f200c5b8f68bb7c0ac59e8ec
SHA51214d250e2a445bbbcda527c7bbac6083bece98797c6c9861a5e44b7750f455e660f1537b84c6d2b8a26b0282dcfbaeb846b29a1db12bddd60557cbd6f46294be4
-
Filesize
1024KB
MD5097241ee5e1c6a98fb6323d43494d9ea
SHA1a3aae41b9579a5f052b2e6804f1cef83ee6d93db
SHA2560dcd9a24d28cd9f9c4c836af41323d3bc3376f56e1e855aed40454645f175f80
SHA512399b7e1765613cc3b2c4751059d15a2b3387ff6624723d1099b7b9cabb2a312c27560c1cab406d8e1cdf3609630059bde5d99b0370370de40c3cdf8073358e28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5bb41b52d1c153656a010ed4b79ee7a07
SHA1d726e801557808112994651c5fb006626d4919ad
SHA2567309ef37ce5c3cc2b4cc20e23d4d3f2f94f128fbae45a1dce17b7206d6c17fb6
SHA512315b5caa459ef44372d4a2fe290e784e5cc2292cb95074afcd7aad1f36a92cd88b5776c9e85109e8ca394030f5aebc73ac3efb8f41935167d52937ef495c4c8b
-
Filesize
1.3MB
MD542fe391a9241df91656c03c80ef1dc22
SHA1f93919148000c5d083beefb3114718749111fc41
SHA256c845109df6f916863ab20daad6063785e5fd6090fcfadf7fda82cbbeabdb47b9
SHA5126381a327c090c099a8c651a6aaf7efae2def14003f2996a0914011e86689b818e9ef854cbcde7c95e05e2165c6721b6fcdf43ad10b30b3faf7f5b68c61073dde
-
Filesize
1.2MB
MD54e3eace4bb3abd4f79c98708dfb8fee7
SHA1d5d9b26568686b7ddeb36eb5126a9a7c2e2e89e8
SHA2563c152e754c3a7b4db285fd9b378f2abdecdf3665d1992e75aae01c0ff1ba5f5b
SHA5127c65ee487f6d73dd3c8f7a7512e3f5879aea940e04f1015f5e607c942d2a89ac40e5f6b2e7fe7e7b6e93c476bb6c958332e2addc0456b48df0c60939f83a5e55
-
Filesize
1003KB
MD5af57c8a6b16c0dcfb7cb1bf823dfeef2
SHA1ef305d7c0b608f82e354cdb2a0c481b28a8e846c
SHA2567097a7225495875a10b6d065074716f1b94fff34bd79aafb74261dd5d6621412
SHA51240e4b3035ca17eb5d5fde703e8f8b8b23968793f057b6d0a88c5e65c08b3d33fdb681d3e1ec7b6f2713cb9278cbe27d81dc413e5caf4e60e24eed2e65a0f468d
-
Filesize
1.3MB
MD5c0380280678a838b7d19c43b0255678f
SHA1c1e5517c95648576991f5c1fb9993ed911410e8d
SHA2564b9c32709612d2c8a0b824b0a947575a81a50d161c661d60f6790798ad312652
SHA5121a73c17a58eefeee710bef83c320205bcabb586ca7f964a89948ded7e3523175da8eb520419bcb89ae8914dd5b442f614cb31066b2ae78221ac2e78489524a3e
-
Filesize
8KB
MD5d828f9129d66961b17a93f8d715a6f6d
SHA1ca36d9328ad7fb4dda9f3d0892e42a3cd106cd83
SHA256c560c2ce5c811a91da778e52dbd9b66efad1e3ce14c90d877fa026f844ac00cc
SHA512abf1aab5a883622753b5284f3abfe26390a5bd4a6f958acec0b8ade2f41b1691776dec7887014c2cae304074732ed4f5ae2bb2708b287ea1eb3bc4e22152635c
-
Filesize
1.2MB
MD558682f458f2c842940e78438b2d18dcb
SHA13f6f16664cf992169f87ad90e665053bf5e5d5fa
SHA256454b92419c15128d36a1a30ca348ecdedf8a5e273bc4e6776979d97d8b37878b
SHA51224030158257832ad4fd708c1fe1724cb43fc1555cfc191bd7fcac8b6e103e6b1d3585f0601b2c5e9d4456fa3e5934f6c2d7a5183d0030cadd6e477f77294896e
-
Filesize
1.2MB
MD5f822cd12196cda1bbcef4d588b7232a0
SHA1c5b312a6457629df38b31ed7a8afe9506128df93
SHA25632e6c5a9f22c70dc50bd4876a9076ad3bea7b8ad7054d2d3a71b109120c3a65c
SHA5129a7261c33dc0093e4a08b9fc2b077b96eb3f8f1ff552a73b2814ffadadbd4c3de53a647ea5fe89f7666118fb835be1718175e9c0e18ecb3988dddd1e05886469
-
Filesize
1.1MB
MD5307590d2839ef854ed299f29184f6aae
SHA12a81aceb3ae9b3a91e672015493e26a8a54a95c1
SHA256ecd9044a52e85dc0350e6c33c190b4b835149f6b6c5d2ec38e9e64a52b7d202a
SHA5125eb334d24662a378f802f8dddbae0b362300b1830df092bcba2a98daed7a77fa51a2be60100e011ba79558df362f65408c6071be1aa18d16226bc76b3faf9299
-
Filesize
2.1MB
MD59b1f4a24af272e263256d2db68127171
SHA16a94016f01fbd8bd9c123c53ddc1b025cfc760dc
SHA2566c3a56d225b0a316445039355d3df1151150956b23db887d0cba08064105f53d
SHA51276b541dcb4640e9bdecb38764ab71c0bf3d457404c2e4deae85f10ee976c3e8413c16e21bf470822c8e75c107ced55a829e5e4c7bebebd1f87beec38b1b627e8
-
Filesize
1.2MB
MD54f3317b5d052699f009047cd06e5c636
SHA1304e84fc5c1749b674bb6d12e50a4e08f3441fb8
SHA2567302cab786a8215f824c4a593d7a54b71c158389e24a0717cfc614c5ddcf2e82
SHA512c0ac3ba06b619491c885e9da277f4f5aa91e1bcfb970c4b52088fcc5c85d5f8029aba2bfdaa3b10d303bad0eabf3bd358106f1aad12d651199a082576582362e
-
Filesize
1.3MB
MD5c0b16a08bf5f5667cfe6dd42c14502c0
SHA1da4020f5c207df240c91ea9f4c5534e528da78d1
SHA256dc15d336fd1e00201be0d36c4003bf21a64075752251f8778b49179a9abac63f
SHA51219f07a3c1dd8e55b01842cbc604f384d48cdc159163d10135035905b6138b07b716a12e92f2c09feb8ecdb146f9aaf90f95971cfaaeeeba9e22b1db27e2498b5
-
Filesize
1.2MB
MD57956d98c00d3396bce433f43adf78557
SHA1a449f99001086c70b11c0282043f71add4aeb83b
SHA256fe57e5afdd5bb64d87639f1ed06f0c497d542f5f22d783864b56b1c74e539368
SHA5125ca01bb49336491e9431233a4ca4eb572e88b3f3878b07ce8a83f0574a40bf0a39d20218bb9feb6bf4be126ed7b9549028c2bba5b2853db10c001279cfd0980d
-
Filesize
1.7MB
MD5fedfbfa8c957ddc11de97a6efdd1ffc8
SHA1cbc2d6227b603a9a711b10047961fa2e7e5c4bab
SHA2566c632aa48074137854bf1132b8d9be975704dc94e87c2d22a99429231cdd5f2d
SHA512416c9ffebf65c39405451af98d023fe3d0150d9591bcb8630a71fee1b57e1f2a5f4e2712a5cd3960365ef5febc3cbde8cf149dab9ba64904326635a6c58bc216
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\181356b1bbb85fe2401c4dfad1a45133\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.ni.dll
Filesize158KB
MD5a763a9348ab4ee3bd593bb17d854e51b
SHA14d0c97ba6877e2f9ab32fe1316936a4f2e0ff2c9
SHA256b2f9dce9baca3e56fb3587ffe30ca38eb0f89ed30985b328a853778480c0f87b
SHA512e8d3896d4bd788d3ed923e0c9d3ba19fe9fc507060e2e5e8e410964f4c9d7331928324a79336079ccc84c050d8f0acfb03126a2e3622daac3846b0bfd028f602
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\43ac81bed18b52d77a8011ada80939b5\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.ni.dll
Filesize296KB
MD57687295a6e19cc656b077e6a61629d4e
SHA1fa1025de5cffb56a3d1f8cae9d09b7171b33326e
SHA256ad8d210d001d3298ad4e1cbf08449b2cbd2b358d28cfad99db78639627a7cb86
SHA51219de95fd90bc6f091e785074ee71dc15d450d65fbdea933e26650fb9c747d81ae2fca7f5f83192f17451a49a314d264cabea2202c805b6ffab729d381675734c
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48a294a6ff9cea6b26c38fc8b4f5e3e8\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0.ni.dll
Filesize356KB
MD587111e9d98dc79165dfc98a1fb93100b
SHA14f5182e5ce810f6ba3bdb3418ad33c916b6013c8
SHA256971188681028501d5ac8143b9127feb95d6982417590af42cf1a43483e38bd42
SHA512abbb246d620e8a2ab1973dde19ff56ea1c02afa39e889925fe2a1ba43af1ad4ff6eb017e68578ae520109b3e290b3d9054d7537eb2df0ede6e0fbca8519cc104
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5c8b40c69a2293c8f499b38b25c41117\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
Filesize157KB
MD57bdf8e0c9aa04b71a52dd964005f4363
SHA1a87e809146d3c70093a189c37f0a96b8bd0ce525
SHA2560406be7235661a62f68bff4c7640b4e241a0c392d548bf242ed08ba0eeaee66b
SHA5124983ebf42241723cf258407c7d2a0773f395c861741f4e98bd7ac86e1ef0a597f89263bb5a986b69ffd43836a5e49d8f03342736b4c3183ea0c58b8099af2051
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\5f2320d38621eb541713e6cd421c2b8a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.ni.dll
Filesize648KB
MD57ebbba07bc6d54efd912bcd78b560b7b
SHA1a6aee1a80ddcdf201301ac29293c62d58bcc941d
SHA256637dc357ff9011902186f2fd128ca74ac84fdb6d984f15036803b6a8fe28868a
SHA5122139a0d520ed70b72dc76fdd0555185386c9c22de1e1fb7eaac0607b313500c44f856c76ac6e2cd72148ea0b86b10bdd2b0ab7daacfc945cb66a637b8d99cfe8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\6100bface70986bb5a5df86fa77dfb86\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize187KB
MD5718fbb214ac62fc4d8ff507f19ae0463
SHA1c304def2058ee3963b3dcc45eaa28f9f987fb0eb
SHA2565a78b8151967cbbf0cb4468adf246cd07db30947fea5cb1f9ec50e2a922be95c
SHA51271f2c4d0cacdeca5c13b93382ca8bf95ba34f359ad0a0c755b643a7ece33bbb66faeb34137b34ac0b0abd18e6eb4dbaa6a40536d42c0d17184a68fbd882bd0b0
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787526c375f27d452cde50fea4f7986b\Microsoft.VisualStudio.Tools.Applications.Adapter.v9.0.ni.dll
Filesize1.2MB
MD50637ad2bf6fc5ac1d29e547155bc818c
SHA1a502879466b6dd37eae5881bbb18353f97623852
SHA256868c297cb00b2d298f594ad7e3fd4e38aeaac78042613626d6f919b2bca25c4f
SHA5121d18a16ec3b91c3143c4371de305a7ea464d41661752ece65bf1ce19a8342a265c024a740afa6be8baf4d1edfdac6c6fcdad7395c1294342cd1f4388428e52c1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9248a710d7fe2485a557ce5d3cbcf2df\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
Filesize607KB
MD5e9ca062e4958cc25400c804029a5bf62
SHA11ed4374d0d0f568936fdebe17d9110481d6b3344
SHA256a09436c1df8fcd8ecd1732d6e4e68f32b092e71e0c5d3308b0f3f20abd03d4e0
SHA51243a9ea20d1e636201c0ce7098c198b893465b45f747ed2a002e8dd0bfc7739c28e166d259faf3a0087ae1fe59c74cc8e598f2b283cc7ebc345b6f3b5c388e520
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\a05ee2388c8a28fb3ac98ec65148e455\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll
Filesize65KB
MD5da9f9a01a99bd98104b19a95eeef256c
SHA1272071d5bbc0c234bc2f63dfcd5a90f83079bbab
SHA256b06632dff444204f6e76b16198c31ab706ea52270d5e3ae81626dc1fc1fb1a4d
SHA512dcb3273e33b7df02461e81a4f65ae99c0a9ae98188a612ce6d605a058bd2dcb6ddb5b7c78abe1f0a955b7f0c07c323dbfd77a2b6a629a9c87e4ecc1c57e4d81d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b2d12387f4833169042f40ed5a91cb37\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD51c75d53f2989e439a1385d9ced73a5f6
SHA17c466cafabb2f3d2298d0e3815ba77dd0e8457f1
SHA256dd457a794693874b909cefa69c9be2e091e37ee9fbce8a0a803b76f71c5e3230
SHA5120ec386d38b33719115c04d164d321b6da7378ed6a35bb09e269ccdf29c6dd8adc38fc1cd5722a538b7358913cb8e85420aa0dd6c0bf95edc8dbb4268fc733cc4
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\b8e029b1434d965380b363483e376df0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.ni.dll
Filesize329KB
MD5eb09a7062a66a50fe2cb16c4a80561a7
SHA133b4c71ced7644be9802374a4f04c866394daaca
SHA256e94a4ad1ef9de2886a231e857c8691328c2e6e344cc9e82440e5c45b8a788256
SHA512c57a4c626c87032ca422df04ce7c3322662a9b0c6c06a46e93f08ca8f431295c9ae802cd79f53cae5de2b39a30bbeb756c966880e874ed44115cf511cc1ff920
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bb63c81d306795319eaf7af25f67342a\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
Filesize141KB
MD558cacef7cbc000bb5ddeedc08a598f36
SHA1f8963d4ac1f7b72c2ee4a0a6d45b921f4f88bab7
SHA256124a0869df89ec2c9f0b307dd6b6d17e1e1e7ad638e0b4abf4483c15f842d270
SHA5129cf04e365abcdcfcb9c1f927da83a2dfe0791cccb80cd84ed63b03264d1e253060c455ed8664f35aee0a59e8c172f859ba49c67c9eec811a53e656c076c6bf66
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\bf3e8ba642eaf9a5371982f211550c52\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.ni.dll
Filesize278KB
MD5d74d434aa70ce827715b5e0ac7eda5be
SHA1b53f3374be4c96af51c78fd873de1360f17c200f
SHA25654701cbe719b08b2393b9f4a604c372f9a280b5d3dd520b563d2aea7d69a1496
SHA512631d09a0ff39ece829f5c23278c2c030e5ff758b285128edb7805682de75b5be1aedd914d2325f79ec98d0103660a39ae1f1a5782f5dad038b143f3774c098df
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d65a332484d5e6f9dfc625b3a3a6d668\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD5cd08f54589a07dd3cd306db76921597e
SHA10abf0a8b182df3a54ee9d96fb8d84ee06131b0c2
SHA25648ff64cc35648593eccc7d220a47102941d2607175bece03f260783a843d0e23
SHA51211511508441098b5c982f47cec39e06f10c65fb17b606559bd358e6dc4ed401481c07afd09c92b57172a5a6754be60b7298ad79d6dcb44ea6e67bf3564e28398
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC043.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC265.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
2.0MB
MD53bf0c7baf602cb3fa7b2ca8e7257902c
SHA10eea4fd2d1dceeab86c6101512e4ef0f96027131
SHA25687c60ba44184098924d21ff52da529eb78a03123b4a062d044231fcf98ff9083
SHA512a663e638e8e91f9beda77b441747919b17c32d3de57ae2f7f998be0342230dd319eab2e6ba3510fee1b7313140a0d44d9215f1baff139f12eb0cb07f7b396e88
-
Filesize
1.3MB
MD5891a678b7fbcc00b41acc15964a43580
SHA1a4c8344b8272a957d7e90e4636a7c9da23118334
SHA256b647d5e07085e54be701bbbb52fe837d3c50629fe986b48e561bcbb3e87f442b
SHA512bba9549320bdc8c8aa8a669c9be2369db526ff9c0855053f692f723c92ef13d7d2c25f4ad42f6a355e043805d74e2f3bda6cc27c4efed5f4f53a5d0f64a060e1
-
Filesize
1.2MB
MD50efd656ff21d272880f947523c755df0
SHA184081f551d89ecb3798069f4cfa972b258849638
SHA25679f3dd7c7838c729b682a8beaa886a293d90c330a23d82e8ee7db3c072b3b682
SHA51214f653e933a270f3b4fd1e7828800fcf485da365a222fb6914b6f8e993ddd9bd24b17f6f40585cc0162879abfa7fb4cf7470e8898590149f27d8a6922ea5eca5
-
Filesize
1.3MB
MD59a6611efd617843f24908c5896328cbd
SHA1b1b9fc01b302ad3bc7f368069c429629f41200cc
SHA25620bbf903dc50a2e72aa9a621e1ba2152107122f7da58a3cabdcd4ca042a95737
SHA512b582a79f47bc7e3191e4bb3820010d65bb54136699276e5d523c03c2a76a90d9deb551703ac6448b9b500a5ae3ebae54285371d8aa07e144caf7a2dc88c33996
-
Filesize
1.3MB
MD5eb854a027f20d33f391cf835b236f74b
SHA1e287f4e74d193794eea193a54f1e1a280f9b7f99
SHA2565ad0b0ab5276c6ca01d4e9372fb62a655fe98ad6f1df5cd79ea396285b85f72b
SHA5123a1ee8365d79f312e29ac3ec628f3ec08584f61699be1f7994bbdc0675d76ffe8d9389c65ded182c0efcbc89add8b92db90cd23a8144fc296a6b623b06a4d96a
-
Filesize
1.4MB
MD5a10b5a6668326d089ae6732aa1e02c4e
SHA1050fc2fe04dbc7713af698b0f82274ae8720d6a1
SHA2561580de4059746d0251f7436eaff3e95c786f8d00d7f9774d4331c15fff873d4d
SHA5124b1aa811a6a176299165fc4eb499c9e27521e3627fbe933dda336ed093663edee206ebc2c6919d41025efdb10bab201a7e3917fcb24dde99bfa8c03c7ed5ee06
-
Filesize
2.0MB
MD5652b9ea72d6bf4852d8df17dce4bd520
SHA12843d1a961bfa32c4bdf28b606466868ffc41fd3
SHA25669ba51b198f32438d6c2490a634e224f5b606d2e2ae66e5aad65ed918bb664e2
SHA512dd3909bea1f29d1362ccf6201999e2a1caf3538f53c3f012592197503d1829812df56319b771c387c4b4046a82eed961c247845b0bb54182438ace1edf2c4dd5
-
Filesize
1.2MB
MD56fed514671769c2fff4c35d104fca853
SHA1b9323004451b4981220d42dad5b438b771915b38
SHA25620b6b6d18529ff11a231243aa82d254aee29ba65e8d2a49b4e996e42978539da
SHA512b881a60ac82c2e630a5e82e86d29e46057f37550741b68332c422332afd071caa472f3d6cdb4d20e9e0062311612feed5cf94541c2f633cfaa9e90b255a08ccf
-
Filesize
1.3MB
MD5a49df1a6104b2743092d3902ca34a7c6
SHA163ab28ca91162f8b979a959a0552b11bc5fe9a9b
SHA25633e04cc16885b5a453f49663a2bc680dc94a56ead3acb56f38900e0b18a80de8
SHA5124a593173c659496ddba057d47f894c7e1322fb90b8f6cd336911fb704d30b0dff09dbe75a33c135c9ed5e8c9280a56e1ac2e599fcc84caafefde2e5efab1b6cb