Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
9c1292a2bfebc5711f00613abd160989
-
SHA1
d915dc3b341075f71bd189569fb9348c4804a3e9
-
SHA256
a684f379b1c2616c0ed2bb2f02c3d35b593c28fa0fc184adafd4f08bf70c32f7
-
SHA512
5f10c2e8ded0563f93d978f02390654a615ecc01b52e1b3b1f0fcb854790f32d6283a07acc7f7ba5238697f82b2466cea9becd42d2c688b4e8b998cbe90bb19d
-
SSDEEP
196608:FP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv018i:FPboGX8a/jWWu3cq2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 2624 alg.exe 2640 aspnet_state.exe 2364 mscorsvw.exe 2108 mscorsvw.exe 2648 mscorsvw.exe 1040 mscorsvw.exe 668 dllhost.exe 2004 ehRecvr.exe 1968 ehsched.exe 1540 elevation_service.exe 2128 mscorsvw.exe 1660 IEEtwCollector.exe 2168 GROOVE.EXE 1612 maintenanceservice.exe 1616 mscorsvw.exe 1936 msdtc.exe 2364 msiexec.exe 2180 OSE.EXE 1536 OSPPSVC.EXE 2952 perfhost.exe 2792 locator.exe 2852 snmptrap.exe 2620 vds.exe 2896 mscorsvw.exe 2428 vssvc.exe 1044 wbengine.exe 3044 WmiApSrv.exe 2496 wmpnetwk.exe 2672 SearchIndexer.exe 1864 mscorsvw.exe 2480 mscorsvw.exe 2544 mscorsvw.exe 2188 mscorsvw.exe 1372 mscorsvw.exe 2308 mscorsvw.exe 476 mscorsvw.exe 2468 mscorsvw.exe 2576 mscorsvw.exe 1580 mscorsvw.exe 1776 mscorsvw.exe 1372 mscorsvw.exe 2888 mscorsvw.exe 476 mscorsvw.exe 2940 mscorsvw.exe 1200 mscorsvw.exe 2748 mscorsvw.exe 2612 mscorsvw.exe 2704 mscorsvw.exe 2196 mscorsvw.exe 1236 mscorsvw.exe 1684 mscorsvw.exe 1156 mscorsvw.exe 1508 mscorsvw.exe 2456 mscorsvw.exe 1056 mscorsvw.exe 240 mscorsvw.exe 1552 mscorsvw.exe 1508 mscorsvw.exe 1236 mscorsvw.exe 1272 mscorsvw.exe 1916 mscorsvw.exe 1616 mscorsvw.exe 1156 mscorsvw.exe -
Loads dropped DLL 49 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 2364 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 756 Process not Found 240 mscorsvw.exe 240 mscorsvw.exe 1508 mscorsvw.exe 1508 mscorsvw.exe 1272 mscorsvw.exe 1272 mscorsvw.exe 1616 mscorsvw.exe 1616 mscorsvw.exe 688 mscorsvw.exe 688 mscorsvw.exe 2116 mscorsvw.exe 2116 mscorsvw.exe 1764 mscorsvw.exe 1764 mscorsvw.exe 844 mscorsvw.exe 844 mscorsvw.exe 984 mscorsvw.exe 984 mscorsvw.exe 368 mscorsvw.exe 368 mscorsvw.exe 1236 mscorsvw.exe 1236 mscorsvw.exe 1612 mscorsvw.exe 1612 mscorsvw.exe 1368 mscorsvw.exe 1368 mscorsvw.exe 952 mscorsvw.exe 952 mscorsvw.exe 2712 mscorsvw.exe 2712 mscorsvw.exe 368 mscorsvw.exe 368 mscorsvw.exe 2956 mscorsvw.exe 2956 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6150d9484501ed38.bin alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\vssvc.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7CE.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2A0.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{81409CD6-2204-41DA-BCC1-EFEE350451FB}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1AE0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4875.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP77BF.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP280A.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000601ae8e26a87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10300 = "Play the classic strategy game of Checkers against online opponents. Be the first to capture all your opponent’s pieces, or leave them with no more moves, to win the game." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1516 ehRec.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: 33 2360 EhTray.exe Token: SeIncBasePriorityPrivilege 2360 EhTray.exe Token: SeDebugPrivilege 1516 ehRec.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeRestorePrivilege 2364 msiexec.exe Token: SeTakeOwnershipPrivilege 2364 msiexec.exe Token: SeSecurityPrivilege 2364 msiexec.exe Token: 33 2360 EhTray.exe Token: SeIncBasePriorityPrivilege 2360 EhTray.exe Token: SeBackupPrivilege 2428 vssvc.exe Token: SeRestorePrivilege 2428 vssvc.exe Token: SeAuditPrivilege 2428 vssvc.exe Token: SeBackupPrivilege 1044 wbengine.exe Token: SeRestorePrivilege 1044 wbengine.exe Token: SeSecurityPrivilege 1044 wbengine.exe Token: 33 2496 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2496 wmpnetwk.exe Token: SeManageVolumePrivilege 2672 SearchIndexer.exe Token: 33 2672 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2672 SearchIndexer.exe Token: SeDebugPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1948 2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeDebugPrivilege 2624 alg.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 2648 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe Token: SeShutdownPrivilege 1040 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2360 EhTray.exe 2360 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2360 EhTray.exe 2360 EhTray.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1352 SearchProtocolHost.exe 1352 SearchProtocolHost.exe 1352 SearchProtocolHost.exe 1352 SearchProtocolHost.exe 1352 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1456 SearchProtocolHost.exe 1352 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 2128 1040 mscorsvw.exe 39 PID 1040 wrote to memory of 2128 1040 mscorsvw.exe 39 PID 1040 wrote to memory of 2128 1040 mscorsvw.exe 39 PID 1040 wrote to memory of 1616 1040 mscorsvw.exe 45 PID 1040 wrote to memory of 1616 1040 mscorsvw.exe 45 PID 1040 wrote to memory of 1616 1040 mscorsvw.exe 45 PID 2648 wrote to memory of 2896 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 2896 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 2896 2648 mscorsvw.exe 54 PID 2648 wrote to memory of 2896 2648 mscorsvw.exe 54 PID 2672 wrote to memory of 1352 2672 SearchIndexer.exe 62 PID 2672 wrote to memory of 1352 2672 SearchIndexer.exe 62 PID 2672 wrote to memory of 1352 2672 SearchIndexer.exe 62 PID 2672 wrote to memory of 2832 2672 SearchIndexer.exe 63 PID 2672 wrote to memory of 2832 2672 SearchIndexer.exe 63 PID 2672 wrote to memory of 2832 2672 SearchIndexer.exe 63 PID 2648 wrote to memory of 1864 2648 mscorsvw.exe 64 PID 2648 wrote to memory of 1864 2648 mscorsvw.exe 64 PID 2648 wrote to memory of 1864 2648 mscorsvw.exe 64 PID 2648 wrote to memory of 1864 2648 mscorsvw.exe 64 PID 2648 wrote to memory of 2480 2648 mscorsvw.exe 65 PID 2648 wrote to memory of 2480 2648 mscorsvw.exe 65 PID 2648 wrote to memory of 2480 2648 mscorsvw.exe 65 PID 2648 wrote to memory of 2480 2648 mscorsvw.exe 65 PID 2648 wrote to memory of 2544 2648 mscorsvw.exe 66 PID 2648 wrote to memory of 2544 2648 mscorsvw.exe 66 PID 2648 wrote to memory of 2544 2648 mscorsvw.exe 66 PID 2648 wrote to memory of 2544 2648 mscorsvw.exe 66 PID 2648 wrote to memory of 2188 2648 mscorsvw.exe 67 PID 2648 wrote to memory of 2188 2648 mscorsvw.exe 67 PID 2648 wrote to memory of 2188 2648 mscorsvw.exe 67 PID 2648 wrote to memory of 2188 2648 mscorsvw.exe 67 PID 2648 wrote to memory of 1372 2648 mscorsvw.exe 76 PID 2648 wrote to memory of 1372 2648 mscorsvw.exe 76 PID 2648 wrote to memory of 1372 2648 mscorsvw.exe 76 PID 2648 wrote to memory of 1372 2648 mscorsvw.exe 76 PID 2648 wrote to memory of 2308 2648 mscorsvw.exe 69 PID 2648 wrote to memory of 2308 2648 mscorsvw.exe 69 PID 2648 wrote to memory of 2308 2648 mscorsvw.exe 69 PID 2648 wrote to memory of 2308 2648 mscorsvw.exe 69 PID 2672 wrote to memory of 1456 2672 SearchIndexer.exe 70 PID 2672 wrote to memory of 1456 2672 SearchIndexer.exe 70 PID 2672 wrote to memory of 1456 2672 SearchIndexer.exe 70 PID 2648 wrote to memory of 476 2648 mscorsvw.exe 78 PID 2648 wrote to memory of 476 2648 mscorsvw.exe 78 PID 2648 wrote to memory of 476 2648 mscorsvw.exe 78 PID 2648 wrote to memory of 476 2648 mscorsvw.exe 78 PID 2648 wrote to memory of 2468 2648 mscorsvw.exe 72 PID 2648 wrote to memory of 2468 2648 mscorsvw.exe 72 PID 2648 wrote to memory of 2468 2648 mscorsvw.exe 72 PID 2648 wrote to memory of 2468 2648 mscorsvw.exe 72 PID 2648 wrote to memory of 2576 2648 mscorsvw.exe 73 PID 2648 wrote to memory of 2576 2648 mscorsvw.exe 73 PID 2648 wrote to memory of 2576 2648 mscorsvw.exe 73 PID 2648 wrote to memory of 2576 2648 mscorsvw.exe 73 PID 2648 wrote to memory of 1580 2648 mscorsvw.exe 74 PID 2648 wrote to memory of 1580 2648 mscorsvw.exe 74 PID 2648 wrote to memory of 1580 2648 mscorsvw.exe 74 PID 2648 wrote to memory of 1580 2648 mscorsvw.exe 74 PID 2648 wrote to memory of 1776 2648 mscorsvw.exe 75 PID 2648 wrote to memory of 1776 2648 mscorsvw.exe 75 PID 2648 wrote to memory of 1776 2648 mscorsvw.exe 75 PID 2648 wrote to memory of 1776 2648 mscorsvw.exe 75 PID 2648 wrote to memory of 1372 2648 mscorsvw.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_9c1292a2bfebc5711f00613abd160989_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2640
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1f0 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 250 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 268 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 244 -NGENProcess 23c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 1f0 -NGENProcess 288 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 290 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1200
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 298 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 290 -NGENProcess 29c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 1f0 -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 218 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 258 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2456
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 264 -NGENProcess 1e4 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1b0 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:240
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 250 -NGENProcess 218 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1552
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1b0 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 27c -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 284 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1b0 -NGENProcess 22c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 230 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:688
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 22c -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:1968
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 294 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2116
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 298 -Pipe 280 -Comment "NGen Worker Process"2⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 290 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 294 -NGENProcess 2a0 -Pipe 1b0 -Comment "NGen Worker Process"2⤵PID:1116
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 29c -Pipe 22c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:844
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 230 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:2056
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 2ac -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 230 -Comment "NGen Worker Process"2⤵PID:2576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 218 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:1740
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c4 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1236
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:1864
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1612
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2b8 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:1980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2c4 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:2900
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 28c -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 28c -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2dc -NGENProcess 2bc -Pipe 108 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d0 -NGENProcess 2dc -Pipe 294 -Comment "NGen Worker Process"2⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 28c -NGENProcess 2ac -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e0 -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2dc -NGENProcess 2e4 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:3004
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2e8 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:2176
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 104 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1036
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 2d4 -NGENProcess 2dc -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:488
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 28c -NGENProcess 104 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2956
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2f4 -Pipe 240 -Comment "NGen Worker Process"2⤵PID:1852
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2004
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1968
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1540
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2180
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2792
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2852
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3044
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2832
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5560b45909b5b11cc5ea7de2bded3ca75
SHA1bff4bf0c7c3a931415a9ffe766ed0bff98e3e026
SHA25609006d75dfa278c5b28f8d39ae9472c78041ac3d8b889045bdbe5b2e433a37d3
SHA5123078e100fa9315a9766b7795daa970b48e6f9a926a7bce557d75a359bfae33852c913d144b897a3a7ac0a64bd9a56ab4a669e7cc9328ac522d52bc5889a48e0f
-
Filesize
30.1MB
MD515e424d91297bf7a3026299debe4c8d1
SHA1d72634c95e76d5d934e6e8a54ff4b070dc041daf
SHA2568ecae3247fbf9d27250f6f8627a278719a73130f833d4c66bc536e21367b6ca1
SHA5123c537d2adb49957969dfd89aec541b6165c9cd792207874fc40c040faa05eaaf19ad885935a2e523d70a87441e48067501139f26c61eaa1df4df6b316099f10c
-
Filesize
781KB
MD59af9bdfee05f0df67d1088c395fdd300
SHA11fc61f1a4d37e9f40f6ff77f93fefb123050579e
SHA256e2f98fef12c79706ccecb7b0f33999886a368f0a3f38c6e7ac77d4b6e294af7b
SHA512e41c05831cb894c90491e91043ddccd205f81c735942e0195d98ca9b2d74e2447b073301b40468cbfd3424eef5c9a74073f138941f8bd5fd40fa01c650cf21e9
-
Filesize
5.2MB
MD5dbe39354b4ab3d2789c58e43400240ec
SHA196970afa2146e7c43dddae9234432e2371530d06
SHA256955d165679215c985707e9ad28599db09af80ddf140e869da21d72c07b3ee996
SHA512ef924b48f1d0b22aad4c911ff4abcd1b9d4d18cebd3794930634f528a30442deb366f61286309e5d90ad463470a4c5cfcf446958bf5cc6950b53dd9012f5d012
-
Filesize
2.1MB
MD54d0c73c8554a169da14c3350d7c66781
SHA1609f694d481f303b0e9ac7b8f2ac87c3605f708d
SHA256d3f70c9d0635c39750ec60ec4a01440b3e089bf75099955d4f401abc7a648055
SHA5126097cd36fe0999702ce4d30e44eb3a111001539a75d09424196739d9f64552e97ddd13745c7909b6b3cc1699af6ee037efef147c55f19533b04fe4f5c475b1cd
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD578def10ee6f7e7a3e5a1a8b1d75b6b2f
SHA1a1a58ae2a3c222be7d477e0c5ac0dc1f0370d98c
SHA256cf629b1075b36f2fa1ffa2355149e78c244bf72e32a5e4d1c04d37a28332c04a
SHA51219ef9da5c33bc004260e2bf88ec6301f307261c82f6978a5e91db61cac8e9969562b4a87362ef94222225a2459cbed60c9738f46b6769ea4e17a9c19f20c1159
-
Filesize
678KB
MD5a9b6097161e7cc59d6052312349cb804
SHA1bf924b1b99847dd4e33a93bee78602343ea1c900
SHA25611c53f588d59707a932304444ea97e09c9b6cea3dfca3ae09085ad7d2fe7afa1
SHA512d6dc5ac1d8ffd4b5149aa271beb8e458ecc30d9e519ab7cc2ada1480781a72377a6faf2612049dcf6a17ab1d371c5d6172f3dc44c2ab517bae1a0fc7ea08cd0a
-
Filesize
8KB
MD541daadb62455fa6e775ef4c0a8599f46
SHA157a081c16978cbf39f2f76fae3dd94a0a3e870d4
SHA256823691f11073d6b667248c5287b009c25d8dbb07847e1a2ef52322be8060c74f
SHA512f24320404a83bf0d2449ad6b1a1287492cff6bcfc2d81d95a4345293ef893e259418f790926f5929b6a999615f85ec9c79fec711b7b484e2ccf41a106bb85858
-
Filesize
625KB
MD52abc39fad78d0f3b909cba82a880626a
SHA12884e3fca27cabb53b28cddfd3210d95923cd44d
SHA256f65b5f4f9dd79a7c6f680e978570725771e3cdfd65cfcd87645d7a2dd8763776
SHA51287aa6013cfb69d736dde638f2019e871887cdb70317b4aea011f269a616ba90fee35fa2e6fc795011ea99756876becc6b88d2cb29f2229f10ad2ccae8f157dce
-
Filesize
1003KB
MD5a3ccdb90beab389a428552194ddc1026
SHA1eb94a08a8baaeef5fb754ce4fee73d8e03a1f286
SHA256fe6d1189cb103801197e354c47ef7fad1db2f42814e8a1ae31ac9c5bedcf4044
SHA512affeb4525e5e6b6683cce124c4fea4519e4ee690e209e9553766435104811557360177f07c9a203837a7df81c7718b0a031c63c4316be877fbc13ad108a15303
-
Filesize
656KB
MD54d387bb7be286577c6c820ae8a9f0373
SHA10de5a529a0a947281a767a194e51ca1fb8e61404
SHA2566a4345d265c15557ede5b788d96fd8ec3be044fde2572cecc07d18d6cfaac20b
SHA512718bf6de6b2f98948d5388a45e0df91dce2b626f01ccda53f13e07f3a2e645abfbe90c1c61d49f69183650cc3e5957ff10a356c925381d0be528b91cdee2dd23
-
Filesize
587KB
MD5607b8ac628fb29b002e4719c64c5ebac
SHA1de0834762503741b2e7b50f0b32cd6fbdd5d8806
SHA25605cad3712981e49395aaaa3be517969bea1c546ee84ecdd9c3060e630c8a41b8
SHA5120f290d504a2a8bc2eb57813709f0589e0fbe484afac8a7f40163f7dde455fa35763ae56f6b5a96428003a8d7af874c88eae2c3046045712704cef328e34bfdc6
-
Filesize
577KB
MD53637b45b568b0199c665b784c01bb023
SHA17809ae6550fde85852c5b6b45560109193f06185
SHA25627bd51404d2226e5fad6e5b1780d9d9b9245584032d19fb8f8091cd9647323f8
SHA51242fbafcc012ded493e970339212b22ee28333423121b605bd6d783754425e6ebe9128f15c0341ac5d3ba49cf25586ce71c0fc82508c385d381671a7a5d768421
-
Filesize
1.1MB
MD542324e829b9f576914307940bf800c88
SHA1aa79c36abf8a43e386d1a47038d41459ab6739d4
SHA256e0cffa3b77ba4eb08f7c1c92ce6f677e9ccef3e4ad72e83f2749d42c187e2c37
SHA512ce10088146bf8613da1f458866f1d466363d509e34648252a93ecb99a6c1884d2f9ca69a5d12c358488d121e6359fbbe2a61a0d33a516b2d6014a342d0c569da
-
Filesize
2.1MB
MD5e948a61d72b30947b48f8d752c092d16
SHA15f2d771d07e92479d335b061a4c30cd28fd8fc17
SHA256bb687546e777b495e06d215b5c3c70c49e626cce7431f21bc532585cb06298b6
SHA512c8e757106a32dd1ba1a9b43b19dc43941f2918314e37b4c65a07e48ebaf853212fd8f553aac8c0aa5244791a86ab0f9875428b9a3739a3d0ec575ab379948a97
-
Filesize
674KB
MD51a59579cec32a303322ae479d10d13b1
SHA189a0b03f89b2132acaae30bd18a7873db49f1118
SHA2569bce23b2f1de44a1836b7b3029abde03d0b073520f31494d80d742d53b06c9fd
SHA5128a22044fc52633ec38240d052308efe8244bef8558b645eb6833b246fbbbc6cd8ed1470f760d90c62b6cc2728fb9e3f6eff6bc7501d6680baa404f2d95b9a9ed
-
Filesize
705KB
MD55a24a33f9acdc61b999679903444c447
SHA1def86ed282834f9cf5675dddb5df143d129b77ac
SHA256d11ca88bd9e10d1cce757d69d2bcbb90dc2062d757056836e44560668acffa43
SHA512b9812e71c099b229425cf008a538ec57fa937ddaf2de9e78928433b21b10eb656b4453e197fbf3a010f472f8c25860f061dfff28bd90293c07ac831c4de0a7b1
-
Filesize
1.1MB
MD58b6e068f8a7ee8397076fae0121859b0
SHA1e89009a3cfa7f06d584a9b9040faecef4b5ff130
SHA256132028e0c09220e0ae55492a4af9b1d75a228d359e0f9832e086d51cb2a1c878
SHA51278dec8a1dbaedf3dc87b218e8ef64a5a8465c0adf6a52525454da901b1dbe4a8b4b3201723c9473c5b9ad6d0a7fb49023862cfec2c1ebb1834dbbc1a073474cf
-
Filesize
765KB
MD5a5529ad8668fcc796031a41e857d7730
SHA1ee5f4d9883169d842f6bc4a69b2d4c830a73e960
SHA2566e5e50f78336cc2de863aa7d02a63b5e64cf8d1c68e1e667b9de3c8e83ee1851
SHA512ca33c0c1e01fa4bb8516f5e080817f4033b1df80df03d3f6ebaec6351bfeb605a058449349d031135416cefd004fe1148c29b35aafba2fe5376ca5f3e1646c1d
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\203454d533ad44357ec183c51feb1dc2\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD5ccbae67eeb660cb61de3bd4568ed14ef
SHA1fc6a27858333ad81c9a0123448ca162635464b8b
SHA256a5209c1ca672f7a661a476faca1a3e3a6fac290ec1f230985a4a730dee537b8a
SHA5122898e3152674d60f33a1b5672637a805bf69ec7f903b75df2c162e41592758e99520705c729f7a711f3827d1582538806e0047afb981e641539aff5754f1e498
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5358348d90c94eb87af40d384e9250a6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD5d0062ae5106a50437b283af6602c0d05
SHA1372dd95b396bff0a7ea0afe733aff88685c5fd68
SHA256f0959c7257fdb2184e6c002e12d294ce1cf9a855eeae3c5b5dbeea5177c12a80
SHA512a9efd4a76328e1120fa147f9e0d73848e07880f19b0f3363cf3ab9a4846be52d207f94b73f5b6996352ac6c2bf81b44158f30c9c234266bbf8d66f2700aa1941
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6cb0c7b655e422204a399cd81492f82f\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD56b7d8af4d93abc5dd7a61a7e24e08f8a
SHA1270413c35c165a187c43e003ea0ebbc7641f9129
SHA25620bb09a00e6d6bff9aee4e4399bf7133991b919b918be7996a99d7d480910fc3
SHA5125d295928580e2dca366eb709926f36a4939467442c6e54fee06b4968d660c91d06f233108e96b1fc131f66b89bed3d9f31c864b3829ac6ba28ea3eb63fbe3f63
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\898b154334d69e7ff554254ee9d466cf\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD55aebc8f127650c7b2512c8b38390d77b
SHA1d23b5ef52e24bd245d29bf5d6854b56478e68593
SHA2563055f712cce2297b35745c7c7afc986f42bc6d213fc0afec085aa7620d3693e9
SHA5120286bd08ff74a7c00ada5762d488187d337afd069e127f44d83a38e11189cd0da230507d419b4b653ed436860439baffca44560c2388fec1121b8dee66e8dfba
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
Filesize
2.0MB
MD56d4e1baf3745a974f86dc79b8ff68dcb
SHA1002c7382951dbeeb13450f13ff275353ff355e47
SHA256ae161616af0860ec081915cef04fb135473190629717078e09a1daecf93e684c
SHA5128dd8ed9051e8e714cad5ec7c5895c6184305397a111d0dc04d57f98d95c9168c271b95e39f03bc941a1b7fbdfd089db14893575966fa7f1a7e943fbf15278551
-
Filesize
648KB
MD513806a7922c4a2b7ba1140bb6ce4b794
SHA1058022bd8aeecc2228a8a407d60da9c80ab0e872
SHA256a49a669c33ec1333a15b380ecb57eae0631f016af65f72175ffb17d5a9867bcc
SHA5120d95008d180f2d20ef9a8849b603f3109c987ef9e51957de7d633c6eeb1ddeb2ceb43306ae9903bf21e1ccfdfbf91c2b5f1ff1f3ff6af0d52fff3f6b8b715b13
-
Filesize
603KB
MD5ea28fdf9674f66378bfd8f12ef95ec43
SHA1ca66af2ab80e1d152745016a0c3c02f82f4ac0af
SHA2567be814f58c2e6a07ce6286355a7bfaa2b8417d1e1c8c890ff320a050c9df8e18
SHA512259d02cf86c18dcb8dbe5a6efd2254d58938bc48483d755bd6ef68445e881b931a54b2550cfcf037ad2d47924f6541813cbdf9ca4f56e7a58ea241c8a1c92ff6
-
Filesize
644KB
MD54ea79fd7273f0ebf074fa15885ab1a03
SHA109da67144dbed88f3c4d635371036ba0961cabd2
SHA25603ec3eee6dd5361362586a668f5029480f63e9418d2e98b4b0cdce437576dd03
SHA5129d1e80d6d1759cf8ad00f2e697eaffe3eeec3e30ca90b37e61e2135800c4eff057cb5818975de1110c8d695b5a40394279905addaf958b1976ddea64e6072f5b
-
Filesize
577KB
MD539fa0d0f0c4fcb6d44881b6013008d4c
SHA1691d1162559a0fcc7325c4517032c628b9df2d78
SHA256417c7224ecb514c850ee17cc566fac80f809f01a3fa63d507f6ccca979ade1ad
SHA5120a6dcc92748f9134bb9798391b84efc1bf712a7cbb815593ff6953b538cc12ba057ce7b31029b4ff0ff0b53708849f9685fae56cca647befa17bff0b002d905b
-
Filesize
691KB
MD5c193b51c85a511458bacda4c27e0fa85
SHA1b3fad734a95b46e590225059d3faf6c9dc2c54de
SHA256d78f779c41630e0315a4515c6e8db3ca4e9d77cf11afaab24c0200acfd5dec60
SHA512abc92d622b28146a6b349eace3104ba12caaf72cc1434b58664d9b5f0f05ff754f10e7c932db3e2ec560096c0911916a0a2daedc4c560a0d827b842bf1bd1322
-
Filesize
581KB
MD582915af8c4e3f2d58d8ae159ab717e17
SHA1d21cb1944491b3d0210395a6db809a2f3f548a1a
SHA2567c9179b5b5e5408dc3df13324fece9169b583d1cac2f3215ae6038f545d2432e
SHA5121538d4d69a3f7c5555d298c5d16104917ae6a22216f3575d41b536a42a489b537052e296269f5de94d07b88cdbb5c257aa591da1fff04705246ab35c2fc89004
-
Filesize
2.0MB
MD5de0c423450df4135573ec3f7c3d010d1
SHA10e3a3b83c2f0b035fdc045bacb921d4defa00b82
SHA2566c8c6ee55c74cc6e31863d5695fe7874d9d5a6e34380c43e67bfffda95def629
SHA51226eda012d75c5137844d05af39acafd7cd9828edbe08adbac40a1d48d9dab478e18981cfa7f71328cec7ea3bd56cf25cd2eb9b0706a34c40853a00adc49fdcf6
-
Filesize
1.2MB
MD5c6937ec1e4fab2707d524b323339d65b
SHA1ad1f308e408c7f3b2e18ea6e8738bf13a16f79d2
SHA256a3dd7b606e9c6d75697ee59e1a2be559e843be6f3742d7db2a24e4b72ff36995
SHA512c6724c865355cb84722dece08c2623596001a823e9b9122ab017972e1cc93fa897de4e1a1f456417a8e91667290d3ae55f9a59707d7b3f22727a1e58a95d4fc2
-
Filesize
691KB
MD5e3a7f305e5934f5ca058fce342f74608
SHA173924e90cfff7123b0577392982f6f2d8678d381
SHA2566fba679b19b1aa01c68654e309f2f3c29ce7a1af02832748304d04594827d1ab
SHA5122be085d680e63c6f603c39f7315c090418b06fc1908d0ea1516f59dd9e6be5e9aeb772f7305a07d65b1cc2a8e3eacc1087762b8e0d5f4361bbfcd5f920146edd