Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
aced6ce2e806b1fc34265de4d1def5d0
-
SHA1
343f3b7a4f8ee377567c62f4d74cd686de559ab5
-
SHA256
438d963d6e0f216004c1e38de11bc49a21b53d02a77afcf09b494b3671808e9e
-
SHA512
b585723bba1857b26e8e760e4c47041cc5269297fb2c44a5b7704f8bcfe92ead28861f84d2901ce6e9b4281ed37975e7d68c52b3632f07a1f7941b8cc0988b89
-
SSDEEP
196608:yP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op1H2SAmGcWqnlv0188IoQ:yPboGX8a/jWWu3cq2D/cWcls1j/
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemscorsvw.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exemscorsvw.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 2608 alg.exe 1656 aspnet_state.exe 2604 mscorsvw.exe 2820 mscorsvw.exe 1908 mscorsvw.exe 2652 mscorsvw.exe 1904 ehRecvr.exe 932 ehsched.exe 824 elevation_service.exe 2240 IEEtwCollector.exe 2952 GROOVE.EXE 1772 maintenanceservice.exe 1452 mscorsvw.exe 540 msdtc.exe 2904 msiexec.exe 2588 OSE.EXE 2556 OSPPSVC.EXE 2552 perfhost.exe 2988 locator.exe 2824 snmptrap.exe 1332 vds.exe 2656 mscorsvw.exe 2780 vssvc.exe 1628 wbengine.exe 1740 mscorsvw.exe 1720 WmiApSrv.exe 2768 wmpnetwk.exe 1728 SearchIndexer.exe 2836 mscorsvw.exe 2808 mscorsvw.exe 2496 mscorsvw.exe 2328 mscorsvw.exe 2856 mscorsvw.exe 1652 mscorsvw.exe 2228 mscorsvw.exe 756 mscorsvw.exe 2876 mscorsvw.exe 1120 mscorsvw.exe 2860 mscorsvw.exe 3016 mscorsvw.exe 888 mscorsvw.exe 3032 mscorsvw.exe 1928 mscorsvw.exe 1476 mscorsvw.exe 2104 mscorsvw.exe 2620 mscorsvw.exe 2860 mscorsvw.exe 2896 mscorsvw.exe 1928 mscorsvw.exe 2140 mscorsvw.exe 2220 dllhost.exe 1904 mscorsvw.exe 1016 mscorsvw.exe 1156 mscorsvw.exe 1740 mscorsvw.exe 952 mscorsvw.exe 2104 mscorsvw.exe 840 mscorsvw.exe 1096 mscorsvw.exe 960 mscorsvw.exe 2836 mscorsvw.exe 2656 mscorsvw.exe 2244 mscorsvw.exe -
Loads dropped DLL 51 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 468 468 468 468 468 468 468 2904 msiexec.exe 468 468 468 468 468 744 468 952 mscorsvw.exe 952 mscorsvw.exe 840 mscorsvw.exe 840 mscorsvw.exe 960 mscorsvw.exe 960 mscorsvw.exe 2656 mscorsvw.exe 2656 mscorsvw.exe 2956 mscorsvw.exe 2956 mscorsvw.exe 1912 mscorsvw.exe 1912 mscorsvw.exe 1780 mscorsvw.exe 1780 mscorsvw.exe 2832 mscorsvw.exe 2832 mscorsvw.exe 1340 mscorsvw.exe 1340 mscorsvw.exe 2040 mscorsvw.exe 2040 mscorsvw.exe 568 mscorsvw.exe 568 mscorsvw.exe 2200 mscorsvw.exe 2200 mscorsvw.exe 2424 mscorsvw.exe 2424 mscorsvw.exe 2864 mscorsvw.exe 2864 mscorsvw.exe 660 mscorsvw.exe 660 mscorsvw.exe 1272 mscorsvw.exe 1272 mscorsvw.exe 1476 mscorsvw.exe 1476 mscorsvw.exe 2800 mscorsvw.exe 2800 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exemsdtc.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exeGROOVE.EXEdescription ioc process File opened for modification C:\Windows\system32\msiexec.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe mscorsvw.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe mscorsvw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\2bba7245ae4ef42b.bin mscorsvw.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exemscorsvw.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe mscorsvw.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe mscorsvw.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe mscorsvw.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mscorsvw.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe mscorsvw.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe mscorsvw.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exe2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43C4.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A7D.tmp\ehiVidCtl.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53BB.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exemscorsvw.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exewmpnetwk.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exe2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exepid process 544 ehRec.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exedescription pid process Token: SeTakeOwnershipPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: 33 612 EhTray.exe Token: SeIncBasePriorityPrivilege 612 EhTray.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeDebugPrivilege 544 ehRec.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeRestorePrivilege 2904 msiexec.exe Token: SeTakeOwnershipPrivilege 2904 msiexec.exe Token: SeSecurityPrivilege 2904 msiexec.exe Token: 33 612 EhTray.exe Token: SeIncBasePriorityPrivilege 612 EhTray.exe Token: SeBackupPrivilege 2780 vssvc.exe Token: SeRestorePrivilege 2780 vssvc.exe Token: SeAuditPrivilege 2780 vssvc.exe Token: SeBackupPrivilege 1628 wbengine.exe Token: SeRestorePrivilege 1628 wbengine.exe Token: SeSecurityPrivilege 1628 wbengine.exe Token: SeManageVolumePrivilege 1728 SearchIndexer.exe Token: 33 2768 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2768 wmpnetwk.exe Token: 33 1728 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1728 SearchIndexer.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeDebugPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2248 2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeDebugPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe Token: SeShutdownPrivilege 1908 mscorsvw.exe Token: SeShutdownPrivilege 2652 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 612 EhTray.exe 612 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 612 EhTray.exe 612 EhTray.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 2832 SearchProtocolHost.exe 2832 SearchProtocolHost.exe 2832 SearchProtocolHost.exe 2832 SearchProtocolHost.exe 2832 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 1188 SearchProtocolHost.exe 2832 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exedescription pid process target process PID 1908 wrote to memory of 1452 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1452 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1452 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1452 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2656 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2656 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2656 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2656 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1740 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1740 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1740 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1740 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2836 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2836 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2836 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2836 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2808 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2808 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2808 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2808 1908 mscorsvw.exe mscorsvw.exe PID 1728 wrote to memory of 2832 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1728 wrote to memory of 2832 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1728 wrote to memory of 2832 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1728 wrote to memory of 1896 1728 SearchIndexer.exe SearchFilterHost.exe PID 1728 wrote to memory of 1896 1728 SearchIndexer.exe SearchFilterHost.exe PID 1728 wrote to memory of 1896 1728 SearchIndexer.exe SearchFilterHost.exe PID 1908 wrote to memory of 2496 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2496 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2496 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2496 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2328 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2328 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2328 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2328 1908 mscorsvw.exe mscorsvw.exe PID 1728 wrote to memory of 1188 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1728 wrote to memory of 1188 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1728 wrote to memory of 1188 1728 SearchIndexer.exe SearchProtocolHost.exe PID 1908 wrote to memory of 2856 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2856 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2856 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2856 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1652 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1652 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1652 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1652 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2228 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2228 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2228 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2228 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 756 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 756 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 756 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 756 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2876 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2876 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2876 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2876 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1120 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1120 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1120 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 1120 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2860 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2860 1908 mscorsvw.exe mscorsvw.exe PID 1908 wrote to memory of 2860 1908 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_aced6ce2e806b1fc34265de4d1def5d0_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 240 -NGENProcess 2cc -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2ec -NGENProcess 2dc -Pipe 2e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c4 -NGENProcess 2f4 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c4 -NGENProcess 2f0 -Pipe 2dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2c8 -NGENProcess 2fc -Pipe 2e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f4 -NGENProcess 300 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2cc -NGENProcess 2fc -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 308 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f0 -NGENProcess 2fc -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 2d8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2e4 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e4 -NGENProcess 310 -Pipe 2d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 304 -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2cc -NGENProcess 310 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 324 -NGENProcess 2e4 -Pipe 320 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 32c -NGENProcess 308 -Pipe 328 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 304 -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e4 -NGENProcess 330 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 310 -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 304 -NGENProcess 338 -Pipe 2e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 33c -NGENProcess 324 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 2f8 -NGENProcess 344 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 300 -NGENProcess 30c -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 360 -NGENProcess 340 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 350 -Pipe 358 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 350 -NGENProcess 31c -Pipe 36c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 348 -NGENProcess 368 -Pipe 320 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 368 -NGENProcess 364 -Pipe 31c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 374 -NGENProcess 348 -Pipe 30c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 348 -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 37c -NGENProcess 364 -Pipe 21c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 300 -NGENProcess 378 -Pipe 1c0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 354 -NGENProcess 37c -Pipe 364 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 37c -NGENProcess 238 -Pipe 348 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 340 -NGENProcess 378 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 260 -NGENProcess 378 -Pipe 300 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 378 -NGENProcess 368 -Pipe 340 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 38c -NGENProcess 384 -Pipe 380 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 260 -Pipe 388 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 394 -NGENProcess 368 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 368 -NGENProcess 38c -Pipe 390 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 39c -NGENProcess 260 -Pipe 378 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 260 -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 39c -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 370 -NGENProcess 3b0 -Pipe 39c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 3cc -NGENProcess 260 -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3bc -NGENProcess 3d4 -Pipe 370 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3ac -NGENProcess 3bc -Pipe 3a4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3bc -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3e4 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3cc -NGENProcess 3ac -Pipe 3c0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3ec -NGENProcess 3c4 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 3f4 -Pipe 3cc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3c4 -Pipe 3bc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c4 -NGENProcess 3f0 -Pipe 3ec -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3b0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 3d8 -Pipe 3f8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3f0 -Pipe 384 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e4 -NGENProcess 3a0 -Pipe 368 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 3d8 -Pipe 3c4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 404 -NGENProcess 3f0 -Pipe 3ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f0 -NGENProcess 3e4 -Pipe 3a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3e4 -NGENProcess 3fc -Pipe 3d8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 410 -NGENProcess 408 -Pipe 3dc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 410 -NGENProcess 3e8 -Pipe 404 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 430 -NGENProcess 3f0 -Pipe 42c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 410 -NGENProcess 434 -Pipe 3f0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 444 -NGENProcess 41c -Pipe 440 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3e8 -NGENProcess 448 -Pipe 438 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 430 -NGENProcess 428 -Pipe 434 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 43c -NGENProcess 410 -Pipe 444 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 420 -NGENProcess 448 -Pipe 424 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 44c -NGENProcess 428 -Pipe 3e4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 410 -Pipe 3f4 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 450 -NGENProcess 44c -Pipe 448 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 3e8 -NGENProcess 410 -Pipe 430 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 45c -NGENProcess 420 -Pipe 41c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 460 -NGENProcess 44c -Pipe 458 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 3e8 -NGENProcess 468 -Pipe 45c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 464 -InterruptEvent 410 -NGENProcess 468 -Pipe 454 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 410 -InterruptEvent 46c -NGENProcess 460 -Pipe 428 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 460 -NGENProcess 464 -Pipe 450 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 474 -NGENProcess 470 -Pipe 43c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 3e8 -NGENProcess 48c -Pipe 488 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 44c -NGENProcess 468 -Pipe 494 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 498 -NGENProcess 46c -Pipe 484 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 46c -NGENProcess 478 -Pipe 4a0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 474 -NGENProcess 47c -Pipe 4a4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 47c -NGENProcess 460 -Pipe 468 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 474 -NGENProcess 47c -Pipe 460 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 498 -InterruptEvent 47c -NGENProcess 44c -Pipe 46c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 478 -InterruptEvent 490 -NGENProcess 3e8 -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 490 -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 47c -NGENProcess 3e8 -Pipe 498 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 4c0 -NGENProcess 410 -Pipe 4bc -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4c8 -NGENProcess 4ac -Pipe 4c4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c8 -InterruptEvent 4cc -NGENProcess 4a8 -Pipe 4b8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 4b0 -NGENProcess 4cc -Pipe 44c -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b0 -InterruptEvent 4cc -NGENProcess 3e8 -Pipe 4c0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 47c -NGENProcess 4d0 -Pipe 410 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 4d0 -NGENProcess 4b0 -Pipe 4ac -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d0 -InterruptEvent 4c4 -NGENProcess 3e8 -Pipe 470 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 47c -NGENProcess 4d8 -Pipe 4d0 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 47c -InterruptEvent 4a8 -NGENProcess 3e8 -Pipe 4cc -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 4dc -NGENProcess 4c4 -Pipe 4c8 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e4 -InterruptEvent 3e8 -NGENProcess 480 -Pipe 258 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 1ec -NGENProcess 4b0 -Pipe 474 -Comment "NGen Worker Process"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 6002⤵
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.3MB
MD5f4371e7608f937cd3b4873240ad44995
SHA1e8b3ae6c070daf9010a705354342b3f4a2b1883b
SHA2560c475b1fbd468d7568c1c09d9114f38b7ae8293c0ea98fd75c4fbf408682279c
SHA5124dc254bec72b85097824745ef7c511d974ebed129aa526fb7a66528eab8b4d120cc85adcf792d402d52c4bfb256e893d9914578dba595bc2aed251683614d76b
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
30.1MB
MD50852c5e7ffff612d9d376cadf6c55ed8
SHA1241c8c537a0aa2d2e21eb94109ae4b2e52523b9b
SHA256344c607965a45ee2920562b47fbcaa1e387f16b287c921da7a435e5dfcbeee48
SHA512edba6ae6543b2c9ca23a51ddf03f3679e987ec4154fd80c0989f6051ffc2eabe50c490b848f63e76c7ca8d73507f58f1e4841dd59000256ca25c6d1833514108
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.4MB
MD51447028d772b968418f4b1a8f9faa90e
SHA1d32504c1d0e8ce19a349771060884c66de558f73
SHA256c07e30421546eb8ad24f7351182cc1fac235fcf1451a1bc55496b10152dda4ac
SHA51228a4e7aa65243c6c926651421cb3e4765c0c80a6843640086c655aef72f0ccbb3ed0610f405df6618a53a8ef6a4a4460b709af2753fb7b4d18253b8a91080534
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
5.2MB
MD5ea3f3e824be002600288c881ce6d84a6
SHA17fb58c78e84566e14ea059ca0875e1f824b2eb47
SHA25615419e3a343e227749e623ee48a9b51e5f7fb74a4508aed963856b0a58364509
SHA5128805af860d3edd326a749c897ef06805b7a0b8b4da206f34c0ab29bb51cd6d5d912659623d6d2ae0228dd8b1ac81dcbe0abdd3aaa0532ee20c426b37df1f0969
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
2.1MB
MD502ffcf5620818fbd638e7a294f59b2c2
SHA1d39c02afe7eb859aabf966df0a46dd8a0d1303a3
SHA25608661553e9d34d1113bec8416ae79016d64de3f96371d2fb717515590b4cc6b3
SHA512ebd5f57c7e78ee695df7330baa9cdf214ea2419a5502c71d67fdf8eb6d49e1a741d2bcf8f0cfab84d2f4f85b0a34a6373db6641c9ee30054a7c9da4854ae5ec6
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-msFilesize
24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD516eeb49badf92827b837b41cf260b5a1
SHA1f72c32eb820579b5cb15bc9aaece17bf009484e5
SHA256f8622feeaf2ea8d7f99d3ac69c32970e939dfa3a5fcd630b7063f71c94b54a42
SHA512ba1e819b2c3b0915a9e950589b0bcaefff0160b944410e97760312331b8726c37db2fdc425ccc03abb1f1dbf6f1b2aec7b05e81084a0f35d6f31d99ca8e0c339
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
1.3MB
MD597b15a70a848812a107d0b2ca4c790f8
SHA10189d547867aedad3fcf9b390bf9672a5f6a510d
SHA2566a251ca14c85a74942a1f152dd26c09218b841c3f5cb62703d4e30f3e2375f17
SHA5122aec08acf9964f250a3a0e6dd9dad577143181bbf42319a5874407d5caa551802b021af89179810389a7f76a119321b42efd18edeba628a1ffe213046fc5dd17
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
1.2MB
MD518f8206cc502b3f6637ebaf7bd3ce05f
SHA145f638466f80653c782b32796b0aaad66dffbe9e
SHA2564ae908c01fa25f0572585d577ed6932cc6cb92ae875eeb04af8ef0ab6404d513
SHA512a7cd34724fe45a54780aea2980e35dd0e98b5ad2e9ccdc555ee98f47a93ac5d012439eaee080cd0ef797a57524c2c00e1a83b39fb0cb512799cf68badf789b2d
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD55c8f7db7391d913171e95c8577ce8544
SHA1c9da7337e03478d366809a7a13910eee5caf7dff
SHA256fb4148735ee3164318b96e099816d27681b10c235dba4b3d5e0652892ef22090
SHA512de60af5895b63f264e161cf9cd21b5c2427526bff5ae0ef414d60a50dd8adc93635acad0e6a8903a889515022d9d2e96d2f5e9fbb37564d46db211f9ec408178
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
1.3MB
MD52c3694e825cfce44b318b11fc07908d2
SHA16c54b4f2fa9ea7f04c6b38912408b7f117b067c9
SHA2561540306e1b9c380782a251ca4dc50359b39cd1b178815063d01533c24aa82ccb
SHA5129a92fdc5eca9b348c1717ad8a1015a36fa9273055be93c547c3394ee68432be50bd6870117e4664d1f41349d5505684f532c68764960c665c54e2b69bcedce43
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.logFilesize
8KB
MD59d1880c0108e894a53fa73bb42197c28
SHA1e2bbd484860002860eeb07f11a3d90a64f5392c0
SHA256730921427fdc9967ddb738c604219134291265fa6d5bd014bdf918a5d766ea09
SHA5122d8dbb36c7b9d2a030e45c99de61fa3505e59a740f068aa9bba1a14c9f12778c53d50b1248e21cf6e0b4e3733b67a50b545563607fb093db9f09e00035d157fd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\2bba7245ae4ef42b.binFilesize
12KB
MD5f624aced3d694f8d2bf7fa1c3f4a27e1
SHA1d1be0cc0cb39fbf9771acc35d90b10d7101e8bfa
SHA256936fd2933f2f168c244215df76e5b1bac8cdf353951e0177086baa4142bf6d24
SHA51291caeb48261027601cfc4dabef897ca3c265b85a3955d637a3004b6592e804da2349d6e978b4bbee8d5a8adf7fbd303bcb11bcc429f8c00c33839bc9d3452102
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.2MB
MD50cd7a0cf918f8f0d3925d9356a788f11
SHA12788f157f5ab46de1c6b4b1429bdea7455f94beb
SHA25623645f72836db5e644d375af09be30b84570d08bc4b65b8db02fc145e6ee1746
SHA51244af66202eadc7302a340fb178b54659773209bdb1ca19ad82d1549a12a7bb12e6557ebf7d297eedc2ebd6ad9803cda12a98050f7b2b504e7b6eadff0ba85f23
-
C:\Windows\System32\Locator.exeFilesize
1.2MB
MD5beb96cbc9f670d2483b88e6159dca0da
SHA16217df3efb4b31601cc8f30234eb7d10e22d0deb
SHA256b5dee8981bbe24c05844953e3f0b817ea2739944ddbff8e33694156b66cc3dc1
SHA512111ee6901d525618637a66a63f46ce4c7975049c96d04f02b9f371abd29ed3d1281cae728b771e5909c0883478c4a340e28896dff43b9edab74d85e8dda67f61
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.1MB
MD5957d6ce00ec390a4a95e4dd72b8660d0
SHA1ca532d664617c3c3daf9606b3f3401957da9b737
SHA256ad76c13744f17ba017d927bf94e6794f04e367be56987d3ec64e2e994d2667e1
SHA512844b3a7cc7d7f8ae9ff3242f7ab9e7df56261f4f4cb9fddc76bc345bf02dc66dc8dad8143e50796f8e523fd3f8ab13ee47e3ad261e4b7fe535228277ffa25e3e
-
C:\Windows\System32\VSSVC.exeFilesize
2.1MB
MD5f63b6c848423fe0a3d1a0d7185e34de9
SHA1ee91909cc76af15fb3002d979acf3db6eea0d292
SHA256a9fb1e368d88dde2b88c3ce008b57f5ddaf4c11beb8ee10c7a5cdc9bbd1c46a7
SHA51282b9f4b8789324b5e334c6ec8a68080f911264b084e3ccb10eba73405b2c23db0f9b1ab09ac211c89a1867c90cdfde221e3dec6f7062c6a8515e5c840ef9dd79
-
C:\Windows\System32\alg.exeFilesize
1.3MB
MD5fa41212f8da3d11caa94abe550a50715
SHA124788a913c9ffec8e5540dde8d2f1d3f63e39145
SHA25630514dd126d0fcb9e28c7d7f62a37b2e0e66de3e8c83eb766e1e94e710328bd8
SHA51273e0314d322fb9b3e191cb710a0043ac71f1b74ce2cf15c53ab99169b7ef224860b195398e5cd532bd355227e30f759ca6713b0ba369bad86caeaed85b5caa73
-
C:\Windows\System32\vds.exeFilesize
1.7MB
MD5ee15d043b00bd21f1d015a1019e73adf
SHA1072a1138b5e7219b8d9c02a46e8bb1c0a97350d2
SHA2565944b7e4131625bc42c43a7857e720db3afd4ade30f147de0e6dcad479dc3d03
SHA51281b4d66ddd340324aa8f1d709d0e7c8385f8cf62cfa46fb3aba7245f06f2effcb9302e36e2e8449345a889638d0c17c5096506027d30b932b4f28faf5a0a6c60
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.4MB
MD513791e78ba983f620f21c719868da08d
SHA1afc46c4043c8f319d9167fd4212cd79fad116cba
SHA25674774858b9eec3a1d199bcd0cf1c0b3abfbe51bab6b484e79a50886f247e1a24
SHA512d4fd7e3b9089952b510ea9032f92437796d1d3d505c8db46b408c1a2d326c1a36b43a848259a2654f3d548214ac9c3abab0775ff9f1347e2559f3601df5b5adf
-
C:\Windows\System32\wbengine.exeFilesize
2.0MB
MD55abd80880e064264674fe6fae8352e59
SHA109b4f7aa7e1fe4e481be8184782ad544bb29eedc
SHA2568322c3024fae4569db81bfb5bfdd00ef20f3ba4a0fc269d751ee095b842b3f5c
SHA512800b9740c2da6dbb5209196692f434500c391b3cda7448abd912438de5d3027caf57302b384f7d7e4db19e9cada41481f29020db47039dad2f662c3cedf16b1e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dllFilesize
834KB
MD5c76656b09bb7df6bd2ac1a6177a0027c
SHA10c296994a249e8649b19be84dce27c9ddafef3e0
SHA256a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA5128390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dllFilesize
797KB
MD5aeb0b6e6c5d32d1ada231285ff2ae881
SHA11f04a1c059503896336406aed1dc93340e90b742
SHA2564c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dllFilesize
163KB
MD5e88828b5a35063aa16c68ffb8322215d
SHA18225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA25699facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dllFilesize
1.3MB
MD5006498313e139299a5383f0892c954b9
SHA17b3aa10930da9f29272154e2674b86876957ce3a
SHA256489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA5126a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dllFilesize
148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dllFilesize
34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dllFilesize
109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1195a272885bfc6c7a593fb92ac57f98\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dllFilesize
180KB
MD5bc178e8875b1d6134e6af6c002a3c920
SHA15a7743c297fe2e61a74dac045aa848e519114765
SHA25666a1625aa2eeb3c23e34b01d99c11f8835130c87678f646d01d6057bf85b43b4
SHA512c674e9d920141566853adbf477a80358f6b0b5187af836b5f88d9f9a6fc54ea715b2474a1ffa92c543c98bd315233e30e257fef85ba74e4368213b8efecf5446
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\34233525a391d439923e715a91a96930\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dllFilesize
83KB
MD548d62e34db4c8acd7f074e6d117b9518
SHA1d9361fa9bcbf6e065bb5739dcd6259ef58029f4e
SHA2560fbfd32d04f17e34ed7f8c2664f65f3612ac8fe0c0a2c4cc1f469b5d66e499fe
SHA51279335a5a1ad7be75869fcd5e6563d760264a96614b992e01c35bf42b5fdd38e682cdb71506067c73fef5dfb7ca0b02b45936a72ed63e640ec5ca2312a2535aea
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dllFilesize
41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dllFilesize
210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dllFilesize
53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dllFilesize
28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dllFilesize
27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dllFilesize
57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0875814d875a4896bc9e6e44bf4410d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dllFilesize
187KB
MD5f05978f57cfc930c3695713f466b61a3
SHA1440ee50c27ab995ec55baf4d3e2d1e6630559784
SHA256bddf00cb4086dbab3fbbe9b9a6764efed06c03b17ed46d36e6ff3721df94bf8c
SHA51252841ceac3993136c29fbf8bdcdb9048ff0d3d3823692d36b54f6b19111997777d0bab105cdd5b8a244377fa6903127642e06bd77f8c15f78eb5541a283196d5
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dllFilesize
130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dllFilesize
59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f6aafb58fdc1d6a31147aa777abe98b6\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dllFilesize
143KB
MD57db71ac552ab06db76705fde07a4be34
SHA1774b57e082a1d379a4953d4453c05e69ec1159a1
SHA256def56d7efdfb0c9abacef103c09789c118dfd6dbb580486c2e807c760938a81e
SHA5120b7fadf2aef201aa2df1cd3eb9c68dd71af52de55a13d1b10593eb5a6238ae5be42d556be9a59c2e178f36f713d83bc13143b0f86e5ccdca1fe1f1a79a08d452
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dllFilesize
42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dllFilesize
855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dllFilesize
43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
\Program Files\Windows Media Player\wmpnetwk.exeFilesize
2.0MB
MD548f5628f80a51d126474493313c48311
SHA144cc4a30f6b36db7153bbd244e7b6c69e2c6145f
SHA2562d3df4c5b3e48a17550cec2b0c2ce5edfcfad0de8fc2ebfbd54a15c2d62735d2
SHA5121e699793936d03b2358bc77a6b24080791b4c1eda80c67a61ffd77a219332437764c8ee24e2dd71b60b90e2c86010cb8439872ceacd0aed9df6c8732cc594af3
-
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
1.3MB
MD5c57de8e6604718c0f4ad93d28cc6a91f
SHA170ae617ea65e0189dd6fe60196a9c7425d438225
SHA256075e0f8e473fd2d8f874dde6fe08a0e441889f56b1f4f17a13b4286540b4ce39
SHA51200b1a377bfc51767cc8edcbfc331c2e4c8c313efc93f223dffa93bbe6b1cad3fc8529576768e70627c28c56e3eaf4649054e591f4463c202669f49a8285b8825
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
1.2MB
MD5c2dd0ecd889735d2a3ce54add456f8fc
SHA18dc1267beeafed876505540e5a0290e0d5d02691
SHA2562dbdd4213d455f6a3ceff87ec19ccfa6a5ba0d8f79e1ab454963eff24a7dc545
SHA512f1ecad8243704b5b5128506be09aeb45d2c022e7327b5f3672bf77b165bdf8282566e0df694d8130a49c5d903245629d2bb8d55d52f16a2085cfab16708217ce
-
\Windows\System32\ieetwcollector.exeFilesize
1.3MB
MD5b93cdc1fd56ee015c8f9859ba4049add
SHA1069dcfa1764e1be8be2077d9c014bf16c8f0dbb7
SHA256b3fdbd32f7a4b2757ddfa167ba835d5e81588739987368de27d4b3c66ff0cb4d
SHA512fe304a8fd876342f7e764bcc53e6d22b176aa4b23f7763370dc8aa36b7235da1486f625246dbe1108a5fe8e24a7cdaf312f9b15a58bf573ef06545281f0cb2c6
-
\Windows\System32\msdtc.exeFilesize
1.3MB
MD5d0fc1dbd3680b58080abcd290e1b2f4f
SHA18c7aba52f29a90786d0125a4963b5f15d489e7e3
SHA256637496b089e6a591602667e536eef10e8cf42b994e18f1cd6db7a438d3b9ce15
SHA512efb53e9abbf522600d0da51d044b650634c911874f80ce7dc856cc78446339423dd8cbae355d6cd15d6cfc800a05257b2b7b826b03a932cd3024a0c4fab2429d
-
\Windows\System32\msiexec.exeFilesize
1.3MB
MD5a829e3f6700773651449e84849275d50
SHA1df057ef2b7c77864d8cfbf95b07b1585b1336e34
SHA256a5aed24ade67679147ff7eaf408412f7b5541703d379c58a7ce5389ef5cef369
SHA5120cdb428ed55697abb4465729f957ce4476848768548cc868fc8d87bd6f7dbe7e8edd9599f868d2d4df92ea01098702bf62c40e908d362052116e6fe0120ece8a
-
\Windows\System32\snmptrap.exeFilesize
1.2MB
MD59938b97d7f265334c6be0da60d895cf1
SHA1d8a75785161d4f95a4da676662820e2b8f409555
SHA25685c3c20ff1f50c1c4a6e7f40c9d7bdc61d25f8c0ceac0566846b58fc071fbdfb
SHA5120491225757c69ab228ac4c6bbae0df4d3da6ba6704a9bec3303b3a70cc3346f40fb54a3a815681bbad53e086f9157f885b0ceb760a2cce05be34359d554927fc
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD5854df65d4703486c8430cfa3ae7a54ab
SHA169b0f2d6e725ca47c8911393d9f78e67d3683561
SHA2569ad7bb87f2a1e5af421f12ecffdf2e44495717d8369e1f0e6a4bfe140c08f5c7
SHA512ab3f6b1357ace78d69f28a487a7b879656e1a38b61a39373408647d10371bf6d19af02788fbe02cc2c5ef4de1c4a1e82dafac175d943af3c30426f3fe7bc37f4
-
\Windows\ehome\ehsched.exeFilesize
1.3MB
MD51183959414035a58aa63e833c680ae74
SHA1dd12638ebfc9ebc18a03d2d2210dbba4a05195df
SHA256b2ea1e0f891f0249359be1f196e7566c7b3f98955b6d99696a9bad3fc8fe4e7c
SHA5127f2737f4636d0fe34eba15b3c3a21ce2af0e91fa336399bde89c29eb2c1787374fa1e91795e20c0a2db1b3327a82804a3f386ce8e345db774e9389f9492b7c65
-
memory/540-159-0x0000000140000000-0x00000001401F9000-memory.dmpFilesize
2.0MB
-
memory/540-697-0x0000000140000000-0x00000001401F9000-memory.dmpFilesize
2.0MB
-
memory/824-115-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/824-203-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/824-113-0x00000000008B0000-0x0000000000910000-memory.dmpFilesize
384KB
-
memory/824-107-0x00000000008B0000-0x0000000000910000-memory.dmpFilesize
384KB
-
memory/932-102-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/932-729-0x0000000140000000-0x00000001401F5000-memory.dmpFilesize
2.0MB
-
memory/932-96-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/932-199-0x0000000140000000-0x00000001401F5000-memory.dmpFilesize
2.0MB
-
memory/932-93-0x0000000140000000-0x00000001401F5000-memory.dmpFilesize
2.0MB
-
memory/1452-225-0x0000000000400000-0x00000000005EB000-memory.dmpFilesize
1.9MB
-
memory/1452-158-0x0000000000400000-0x00000000005EB000-memory.dmpFilesize
1.9MB
-
memory/1656-125-0x0000000140000000-0x00000001401E0000-memory.dmpFilesize
1.9MB
-
memory/1656-16-0x0000000140000000-0x00000001401E0000-memory.dmpFilesize
1.9MB
-
memory/1772-145-0x0000000140000000-0x000000014020D000-memory.dmpFilesize
2.1MB
-
memory/1772-162-0x0000000140000000-0x000000014020D000-memory.dmpFilesize
2.1MB
-
memory/1904-95-0x0000000001390000-0x00000000013A0000-memory.dmpFilesize
64KB
-
memory/1904-187-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1904-86-0x0000000000820000-0x0000000000880000-memory.dmpFilesize
384KB
-
memory/1904-80-0x0000000000820000-0x0000000000880000-memory.dmpFilesize
384KB
-
memory/1904-90-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1904-94-0x0000000001380000-0x0000000001390000-memory.dmpFilesize
64KB
-
memory/1904-778-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1908-843-0x0000000002380000-0x000000000251E000-memory.dmpFilesize
1.6MB
-
memory/1908-54-0x0000000000C00000-0x0000000000C67000-memory.dmpFilesize
412KB
-
memory/1908-852-0x0000000002180000-0x00000000021E6000-memory.dmpFilesize
408KB
-
memory/1908-845-0x0000000001DF0000-0x0000000001E00000-memory.dmpFilesize
64KB
-
memory/1908-850-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/1908-168-0x0000000000400000-0x00000000005EB000-memory.dmpFilesize
1.9MB
-
memory/1908-851-0x0000000001DE0000-0x0000000001E0A000-memory.dmpFilesize
168KB
-
memory/1908-49-0x0000000000C00000-0x0000000000C67000-memory.dmpFilesize
412KB
-
memory/1908-56-0x0000000000400000-0x00000000005EB000-memory.dmpFilesize
1.9MB
-
memory/1908-841-0x0000000002180000-0x000000000220C000-memory.dmpFilesize
560KB
-
memory/1908-840-0x0000000001DE0000-0x0000000001DFA000-memory.dmpFilesize
104KB
-
memory/1908-839-0x0000000002190000-0x00000000021AE000-memory.dmpFilesize
120KB
-
memory/1908-846-0x0000000002180000-0x0000000002208000-memory.dmpFilesize
544KB
-
memory/1908-849-0x0000000001DE0000-0x0000000001E04000-memory.dmpFilesize
144KB
-
memory/1908-844-0x0000000002180000-0x000000000226C000-memory.dmpFilesize
944KB
-
memory/1908-829-0x0000000001DD0000-0x0000000001DDA000-memory.dmpFilesize
40KB
-
memory/1908-842-0x0000000002180000-0x0000000002224000-memory.dmpFilesize
656KB
-
memory/2240-120-0x0000000140000000-0x00000001401F1000-memory.dmpFilesize
1.9MB
-
memory/2240-730-0x0000000140000000-0x00000001401F1000-memory.dmpFilesize
1.9MB
-
memory/2240-209-0x0000000140000000-0x00000001401F1000-memory.dmpFilesize
1.9MB
-
memory/2248-89-0x0000000000400000-0x0000000001EFA000-memory.dmpFilesize
27.0MB
-
memory/2248-5-0x0000000000240000-0x00000000002A7000-memory.dmpFilesize
412KB
-
memory/2248-9-0x0000000000400000-0x0000000001EFA000-memory.dmpFilesize
27.0MB
-
memory/2248-0-0x0000000000240000-0x00000000002A7000-memory.dmpFilesize
412KB
-
memory/2552-740-0x0000000001000000-0x00000000011D9000-memory.dmpFilesize
1.8MB
-
memory/2552-200-0x0000000001000000-0x00000000011D9000-memory.dmpFilesize
1.8MB
-
memory/2556-188-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2556-735-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2588-731-0x000000002E000000-0x000000002E1F8000-memory.dmpFilesize
2.0MB
-
memory/2588-186-0x000000002E000000-0x000000002E1F8000-memory.dmpFilesize
2.0MB
-
memory/2604-19-0x0000000000590000-0x00000000005F7000-memory.dmpFilesize
412KB
-
memory/2604-37-0x0000000010000000-0x00000000101E2000-memory.dmpFilesize
1.9MB
-
memory/2604-26-0x0000000010000000-0x00000000101E2000-memory.dmpFilesize
1.9MB
-
memory/2604-24-0x0000000000590000-0x00000000005F7000-memory.dmpFilesize
412KB
-
memory/2608-119-0x0000000100000000-0x00000001001E7000-memory.dmpFilesize
1.9MB
-
memory/2608-12-0x0000000100000000-0x00000001001E7000-memory.dmpFilesize
1.9MB
-
memory/2652-72-0x0000000140000000-0x00000001401F1000-memory.dmpFilesize
1.9MB
-
memory/2652-184-0x0000000140000000-0x00000001401F1000-memory.dmpFilesize
1.9MB
-
memory/2652-64-0x00000000001F0000-0x0000000000250000-memory.dmpFilesize
384KB
-
memory/2652-70-0x00000000001F0000-0x0000000000250000-memory.dmpFilesize
384KB
-
memory/2820-40-0x0000000010000000-0x00000000101EA000-memory.dmpFilesize
1.9MB
-
memory/2824-752-0x0000000100000000-0x00000001001D9000-memory.dmpFilesize
1.8MB
-
memory/2824-211-0x0000000100000000-0x00000001001D9000-memory.dmpFilesize
1.8MB
-
memory/2904-710-0x00000000005F0000-0x00000000007E5000-memory.dmpFilesize
2.0MB
-
memory/2904-182-0x00000000005F0000-0x00000000007E5000-memory.dmpFilesize
2.0MB
-
memory/2904-698-0x0000000100000000-0x00000001001F5000-memory.dmpFilesize
2.0MB
-
memory/2904-171-0x0000000100000000-0x00000001001F5000-memory.dmpFilesize
2.0MB
-
memory/2952-131-0x00000000004B0000-0x0000000000517000-memory.dmpFilesize
412KB
-
memory/2952-205-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/2952-133-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/2952-126-0x00000000004B0000-0x0000000000517000-memory.dmpFilesize
412KB
-
memory/2988-207-0x0000000100000000-0x00000001001D8000-memory.dmpFilesize
1.8MB
-
memory/3016-544-0x0000000003D20000-0x0000000003DDA000-memory.dmpFilesize
744KB