74877a615b8e27dded4109dbf5252ca829bef490b81a522eaa29a383f5af3ced

Analysis

max time kernel
146s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Size

24.3MB
MD5

88a9d6c5816e5fb32dd2801c34cbb0d8
SHA1

5efae04bb2ab9021498e0cbbc647ef0117551ce0
SHA256

74877a615b8e27dded4109dbf5252ca829bef490b81a522eaa29a383f5af3ced
SHA512

c0d14dfcdfdde17b6815be74cfd5fe266f65e3ef43bc997dca16df5eeba749f20dd0d7b0a5f452e9543b16b5e35d603b5bf88726513244e45fad2272c5e25bb9
SSDEEP

196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018QQW:fPboGX8a/jWWu3cI2D/cWcls1U

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemscorsvw.exemsdtc.exemsiexec.exeOSE.EXEmscorsvw.exeOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
2580	alg.exe
3048	aspnet_state.exe
2388	mscorsvw.exe
1472	mscorsvw.exe
2632	mscorsvw.exe
2320	mscorsvw.exe
1968	dllhost.exe
1808	ehRecvr.exe
2116	ehsched.exe
1744	elevation_service.exe
2104	IEEtwCollector.exe
2216	GROOVE.EXE
868	maintenanceservice.exe
2844	mscorsvw.exe
2728	msdtc.exe
2568	msiexec.exe
2672	OSE.EXE
2308	mscorsvw.exe
2144	OSPPSVC.EXE
1556	perfhost.exe
1528	locator.exe
892	snmptrap.exe
2164	vds.exe
2880	vssvc.exe
2416	wbengine.exe
2696	mscorsvw.exe
748	WmiApSrv.exe
2196	wmpnetwk.exe
2612	SearchIndexer.exe
1220	mscorsvw.exe
2372	mscorsvw.exe
2676	mscorsvw.exe
2532	mscorsvw.exe
924	mscorsvw.exe
1652	mscorsvw.exe
1096	mscorsvw.exe
2280	mscorsvw.exe
820	mscorsvw.exe
2016	mscorsvw.exe
1088	mscorsvw.exe
2372	mscorsvw.exe
1476	mscorsvw.exe
2800	mscorsvw.exe
2300	mscorsvw.exe
2476	mscorsvw.exe
2336	mscorsvw.exe
1756	mscorsvw.exe
1920	mscorsvw.exe
2528	mscorsvw.exe
2024	mscorsvw.exe
972	mscorsvw.exe
2024	mscorsvw.exe
2280	mscorsvw.exe
1792	mscorsvw.exe
2676	mscorsvw.exe
1140	mscorsvw.exe
1156	mscorsvw.exe
2412	mscorsvw.exe
2336	mscorsvw.exe
1796	mscorsvw.exe
1012	mscorsvw.exe
1364	mscorsvw.exe
1304	mscorsvw.exe

Loads dropped DLL 51 IoCs

Processes:

msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
464
464
464
464
464
464
464
464
2568	msiexec.exe
464
464
464
464
464
728
1140	mscorsvw.exe
1140	mscorsvw.exe
2412	mscorsvw.exe
2412	mscorsvw.exe
1796	mscorsvw.exe
1796	mscorsvw.exe
1364	mscorsvw.exe
1364	mscorsvw.exe
2024	mscorsvw.exe
2024	mscorsvw.exe
1944	mscorsvw.exe
1944	mscorsvw.exe
2872	mscorsvw.exe
2872	mscorsvw.exe
2412	mscorsvw.exe
2412	mscorsvw.exe
1792	mscorsvw.exe
1792	mscorsvw.exe
1156	mscorsvw.exe
1156	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
1340	mscorsvw.exe
1340	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2476	mscorsvw.exe
2476	mscorsvw.exe
784	mscorsvw.exe
784	mscorsvw.exe
1416	mscorsvw.exe
1416	mscorsvw.exe
2820	mscorsvw.exe
2820	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 20 IoCs

Processes:

alg.exe2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exemsdtc.exeGROOVE.EXESearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\970ce075ae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exemscorsvw.exemsdtc.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8C29.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9888.tmp\ehiVidCtl.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP644F.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7494.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AE8.tmp\stdole.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8028.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP899A.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7733.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7178.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRec.exemscorsvw.exeSearchFilterHost.exemscorsvw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\msra.exe,-635 = "Invite a friend or technical support person to connect to your computer and help you, or offer to help someone else."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ehRec.exe2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

pid	process
820	ehRec.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: 33	1988	EhTray.exe
Token: SeIncBasePriorityPrivilege	1988	EhTray.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeDebugPrivilege	820	ehRec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeBackupPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2880	vssvc.exe
Token: SeAuditPrivilege	2880	vssvc.exe
Token: 33	1988	EhTray.exe
Token: SeIncBasePriorityPrivilege	1988	EhTray.exe
Token: SeBackupPrivilege	2416	wbengine.exe
Token: SeRestorePrivilege	2416	wbengine.exe
Token: SeSecurityPrivilege	2416	wbengine.exe
Token: SeManageVolumePrivilege	2612	SearchIndexer.exe
Token: 33	2612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2612	SearchIndexer.exe
Token: 33	2196	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2196	wmpnetwk.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeDebugPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2892	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeDebugPrivilege	2580	alg.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2632	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EhTray.exe

pid process

1988 EhTray.exe
1988 EhTray.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

EhTray.exe

pid process

1988 EhTray.exe
1988 EhTray.exe

pid	process
1988	EhTray.exe
1988	EhTray.exe

pid	process
1988	EhTray.exe
1988	EhTray.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exe

pid	process
272	SearchProtocolHost.exe
272	SearchProtocolHost.exe
272	SearchProtocolHost.exe
272	SearchProtocolHost.exe
272	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
272	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe
1936	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscorsvw.exeSearchIndexer.exe

description	pid	process	target process
PID 2632 wrote to memory of 2844	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2844	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2844	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2844	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2308	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2308	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2308	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2308	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2696	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2696	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2696	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2696	2632	mscorsvw.exe	mscorsvw.exe
PID 2612 wrote to memory of 272	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 272	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 272	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 1620	2612	SearchIndexer.exe	SearchFilterHost.exe
PID 2612 wrote to memory of 1620	2612	SearchIndexer.exe	SearchFilterHost.exe
PID 2612 wrote to memory of 1620	2612	SearchIndexer.exe	SearchFilterHost.exe
PID 2632 wrote to memory of 1220	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1220	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1220	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1220	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2372	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2372	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2372	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2372	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2676	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2676	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2676	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2676	2632	mscorsvw.exe	mscorsvw.exe
PID 2612 wrote to memory of 1936	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 1936	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2612 wrote to memory of 1936	2612	SearchIndexer.exe	SearchProtocolHost.exe
PID 2632 wrote to memory of 2532	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2532	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2532	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2532	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 924	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 924	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 924	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 924	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1652	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1652	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1652	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1652	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1096	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1096	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1096	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1096	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2280	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2280	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2280	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2280	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 820	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 820	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 820	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 820	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2016	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2016	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2016	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 2016	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1088	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1088	2632	mscorsvw.exe	mscorsvw.exe
PID 2632 wrote to memory of 1088	2632	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 254 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 270 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 258 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 270 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 274 -NGENProcess 278 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 27c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 25c -NGENProcess 1d8 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 27c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 1d8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1dc -NGENProcess 284 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1dc -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 28c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 258 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1d8 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b4 -NGENProcess 28c -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a8 -NGENProcess 1f0 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1f4 -NGENProcess 260 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 240 -NGENProcess 244 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 1f0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1ec -NGENProcess 260 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1f0 -NGENProcess 260 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d4 -NGENProcess 228 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 228 -NGENProcess 1ec -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 274 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 260 -NGENProcess 1d4 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 25c -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 1ec -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 28c -NGENProcess 274 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 25c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 1ec -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 274 -NGENProcess 1d8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 240 -NGENProcess 27c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 27c -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 27c -NGENProcess 240 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 240 -NGENProcess 274 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2c0 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 258 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2c8 -NGENProcess 274 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 258 -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b0 -NGENProcess 2cc -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d8 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 2b0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2b0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2b0 -NGENProcess 2e0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 2f8 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 324 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 27c -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 328 -NGENProcess 30c -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 324 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 30c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 324 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 310 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 30c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 324 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 310 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 30c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 348 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 30c -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 358 -NGENProcess 344 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 348 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 30c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 35c -NGENProcess 36c -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 34c -NGENProcess 344 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 370 -NGENProcess 368 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 36c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 36c -NGENProcess 364 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 36c -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 374 -NGENProcess 36c -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 384 -NGENProcess 34c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 30c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 36c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 30c -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 34c -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 30c -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 30c -NGENProcess 398 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 3a8 -NGENProcess 34c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:972

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2672

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:748

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:272
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  - Modifies data under HKEY_USERS
  PID:1620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
59972e807fd02248c0b4e4cb115b88d3

SHA1
1026b6b655b73d13a30a9e5c752100a48faa04de

SHA256
4c4ceb92fcf1d569f8416b77d6f19d44022abc3f203997a42cd13afafbf53b5a

SHA512
f0aa7e8aa374b2d5609b320d0f485dba12f054aa998190fd1cf77e149b0b3d373eb2c89a8c9017d1a308f8dbd3b06a20c66e99f4432b82e9731102eb4c963953

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
fdcbe4b7f294f14b5ab7318572d6c120

SHA1
1b15f7ebe81ab2ed174e3c0a0c74214248f2682c

SHA256
2dd558c8eb5c4dc7f32b211419e512cf054bcc6ceea630c1556a60357a082b37

SHA512
437dd28b6e2fc44ccdd44591bf7095d3b47674e6d437d041b93da8f2869355d0b1982eb14dfaae85015438bfe2b6103e29eb35a7a2317c85e3e14deac42cf2c6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5f650e3abe6acfa7ccde25057865ac99

SHA1
4afe7f212243066526deccc0a4d14f299bc7e557

SHA256
aec632d2d1cc6800368c4d8adce4d025e67f0dcbecd40431d7126bc8014e333e

SHA512
5d94517fb180f5d92fec860e7302a9017b88b7e7ecc1bafe0335d2e10776d489670404e042e4e5de2d7cfdead8295544cf15170d1f83485b8f53cc8edbd664b4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
8db1f7b3b15d386461e6d1a0f9b81b3e

SHA1
1a55e146f911c32bdeb87497abba3ffecff503cb

SHA256
cec6a1de34461a6b52fceeeb8d6e6c6f7a1a4419bea85f06afd95e728066aebb

SHA512
aaacec2ba519843525ad6607d595e5baa813f7aca4c5e5b8c0f95b7a0514b95fa4ece644488f27ba9d8809ef260801192aaab1718d1fca9a57680da2b0174cc2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
76a80062933533a9b46e8a7017dfceb5

SHA1
5839daf0d69a879dd98a68351941623129dfe6b7

SHA256
764be498ae98060b695362909c07fd54ad437fc8e9f3de7536aa0eb6d2e06d35

SHA512
2297ea69e0e13b1f53bac657a3598b01d589308589890b840d582dd10cdcc01b226e2fcd25eaccba603bebac3e52e73472fefd851cae70016ea3686467273db4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0208457ba695badd213e0d36f587c5e2

SHA1
b6579b11e2ecef4fb97aee61e27b80adf99c087b

SHA256
d5fb1464392258fa6609548296af8952a113dd87a5df1ecd806b3c4070d27d58

SHA512
da5d3293af9dab5f931a76d306bc38de48a9a5b4f8f0529f4950ef37bb8c4f124397abbc47ded9f8d225e230d93adfbe08b5e8ba2baa79a0c90b086da2405126

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
193ea5971a36304369d8ec9d534783c3

SHA1
470efd93761d97c927c9844b4095b0476567dd9d

SHA256
106d2d77578dea0f53a21009a615c833572326edddab379f239055321eb81ac4

SHA512
c38f4770803e26e3ffb5971458931ec567c7ce858490e9466bcb950c6417626c7b8bce91257e7121db203589f7fb2f113df5fca2de03b6ec9405dc24c5029321

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
88dcd766fdbb1a0f7fcca7b005675054

SHA1
d08e158c6d718aef85ea2e1432363b4e1b62065b

SHA256
3dd6d7aa307e606ee5642ed44818911efb550beddf2bc634371c7179e71f3dbd

SHA512
183fb2d5b2fd9c997dd011df2779de6859e2267dde39c76dc7ef5c0790e1d5dc5b0a7358d10d6ea4bb52b1488ddcc3557884ccb92afc2db6411193d4eab52b8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
e683671179ef08b3a68ae35e53ab8520

SHA1
1b008a8815e149b2a3a8b3fa7f5b27fc01b75f99

SHA256
f3423da4b2bf752fd22bd1e418834c523519df217795f5db420045c676e73309

SHA512
16c13bb990ec7b5f5d19c4210ffe13649794e1b070730128745ca55e3539f95a410b056c1694ed50b90fb3ebc8dfffa3a6f2150acb1f6f33f44051ff5da3f8f5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
70056e1320c3b70a331390770f2d743b

SHA1
4dc3285e06d386d2d36b0d0269f129667a2b6f67

SHA256
96323f73240e1aa4d25cc7e425e366e10ab9cfac3a7b4155b898104fdd2e9fe5

SHA512
0c47e4d4f33653bbaea8277b66b3453003c9d3f2fd98fbe249c47eb2710bc423430fffc94ac948f86fbcab8d8f8a52a46992b3f77604cd1dd8e27723244712c1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
34ec1a5610628a301137dcef364a5141

SHA1
5d6ad3e365fc0be75da65214c5b53a6d8a8197a7

SHA256
dc8a29a2d8b9dbae92f30045cd5f7b17b045b81712e8ae26e96e7e34225cc900

SHA512
505b369b52c24eefdc0761d84d4bcc624af076a7488cab5e95808318bceca356e80187a959c7bb5ce581de348115645096ad7e0b8715d369db32881bd8993cd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ff706be49e0ea685d4a9fc23b9cd6a85

SHA1
ea555ac4c0020ef86763799f715f948471a839c6

SHA256
5d96649339e7a0366155392359f52a7440301e28bbf3919c1816bb193230d3e6

SHA512
e228d76bcb5eb25ff63f256441df97e73b3fd970766a43d08b4590b905116a5241a8351c8b42be06b3c17b3979c9a27baf702df7a304586a07df6f5ab81cee88

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
6833bf77721c26211fd503636a92e35f

SHA1
09e875c9417813c06cb31ebc4a7a7d2d6e822973

SHA256
987efde58f909427e6bf74ef76bcf3d24138f84c0925abb2f2ce8e6b88e30b88

SHA512
97005f8ad58238db14a539ed6f7b53f0a51e9022a1efe33f3f2f317d2fe77a1fb2d9d37818b5f9e0e604d3cff32b422788baa766732b044f9e584c7ba7f9a634

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
af969fd95f8b4fc1a5282defcd64b284

SHA1
ce280a083c84a09ef7eef6a98fdb67b10bd711c3

SHA256
2c13f1333c778cce24d0751b09b8d400e94b3d3887310df16a2ad9d31b67b3e5

SHA512
85bf3fc4412001843758bcacfc51676782a0d3d2e738aa9efcfb8ba9b1521f7d13458fc0a63c70c21f56fd8fb374d5ca28f493c7f8e7afd692b53c09710a97b6

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.2MB

MD5
52c6f8c000f21c6d35ea83fc379ea95b

SHA1
fa9cf9542f29e654e648cdc470d09661d377a8fa

SHA256
388c0a5452e20eb92ab0fdbb3498bf0ca1004f0b939f6b75f84c2e17d828cfa7

SHA512
3ede18d4296618e4317b1fb6381e78fd95ab9d94d9d2fa0c2da8a5eb345d08031db249232185fb5461fe2139e486e33a3df9eb2a7f00863c595782742f8daf76

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
56a64b28c06a13431992286a595801a3

SHA1
ed3c99f6eb7269569f42083984f903d4bc23c5c1

SHA256
e21dc45c70148d791800b17d6c92eafa2622aa6c27d4b70238db55e05b528634

SHA512
694474e9d1beb148f60f115a11c6f9e60ec8c1844b573afedf569b8f4a39965cb7f32d54a2126b57db1cee8a05ab9ffc09c0f09fa65884390e9756ca77c8213f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
a455554d82ff1b1890baafcd856b571e

SHA1
79b351d79405f26a2ead2d45dea58741637b6566

SHA256
d1b47006b2edca01a248358da450b78acd23271737d568a6c32fe29a20066fa4

SHA512
df9d26cc0e3e46b0bac3e08e065a9f1221ccd0e77ca47e152bdbbf2be5327d1fadef03c518f56a505ba61f7e7fbf8d3b110b46fe1332815f1b2b16298f400f50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
383f8bd0d8598213419ebd983557c804

SHA1
b17ebee2ce7bd60564260e0d14ae400d86539079

SHA256
b3d7b0e7fc60c84bb3a8ebd6e3f37cfab91977288aadf3966624fd560fee11c1

SHA512
4155c0bc869e6f221669806b2f6765b0cf15d7d2b733e799cb4e7beac07acd2721e7189911ae5062ce35324449faea03e7bd08391076ed9ad71776a2cb5580b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ac2e1ab5cae0ba75d0a7173ad624c222\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
1eff63517430e183b5389ba579ed93e2

SHA1
5891927b05adc6db5464fb02469c113a975ebbf0

SHA256
b56eb87a81a8777ae81fe8099d7f18dd11757dff104a9609a0568ca0b4ce0856

SHA512
2861ba07bfea6dbe1e349df886a401df47e9ca2a3846d1f8a269c6a558bdc5f5e4bf30cbaa8c115af801f2e5bf722084b88290e1dd10c4cedbc49a26e8eda844

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c128c0544f4f5330e86f8ab6d58757b8\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
1c70f03a678242fe8d7bb158704842df

SHA1
933728f3a6a39c55159741213bc2b3b4d4cdc790

SHA256
7240e4e9df2c1b7c6c8f3ccf2706e2fa93c0141069d96b8f2101f2122acb72fc

SHA512
4831a3c2aa9919bab1cb6302c37c145c85f65437d324b65d36b245096c7a96a3c5cae8f6ee95e9b891ebd01f626e2b6d3bb48315fa3cd05e375765ee2e2393e6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d7b29d7797fefd80a8f77c98eebddc11\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
a03c831cb51ed63213ead308a53d7354

SHA1
4f6a9189d8d56bf2449235f23cc2278bf5132b51

SHA256
130ee203551dc5378ec6c5f3a6408aa0c9f2b03e8b31ea980926f645344d939e

SHA512
ba28351932abfb7d03e01b81a6face909a573335850846507fe274b48a0ead697c71cd4743ebfa4acd8f5809ef0cecaabc43b0aea45c6d9d29fad836e5965bc0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7AFA.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP899A.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll

Filesize
83KB

MD5
a04b2c1ee5ab1b0c05c48d08f2eb6a95

SHA1
8af49c6c4c96e7057a62df9f2eefc7cd37799a0a

SHA256
fe2b9f6cb8b59f4e019fbee95a8e70dc2b79611a48f154668b76e29827247e25

SHA512
316b649a8d6acb2d1987f3f900a63e2b7542b73d3b281967cf30059956f6d5209b3528d17d9b71be6366b2d9a93cad761923741ac70c361dec00e51e3533223d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5c46381bb7a1f08d783693141601fe88

SHA1
fa783058f5346c1ed813332bd00497b2b56dfa40

SHA256
e14ba52ecf5e534d234a5ddd37ae8f2063646d16f826040dbfe882257efbbab4

SHA512
df7972f713ad3c3a5c02f7a9c0d7f976e1f3a998adffe57b4390ed0463d49807b1aaa8f871e305bd88ab2e9fd1d1b315c3064538ede9f947ba503774cf0101c3

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
9430d3ecb485bf28eececf5fea5ed22b

SHA1
d1ed9527728d5a7623befdd2a057e573d3e72c65

SHA256
68086b6f23917ebd4d9d56da68df9a750b0a3c10e1687347e39bf4f5c25324fb

SHA512
3d5b0c2deced63141f57c2b9e947fd1e07337c0ad4381bb5c5fde2dd9a97c2fa734c850030efa62eab20d2d43d7448462c3ae114f4aca3fa41aba3e4f0563f5f

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
875eb601a209025d10017fbeb0195657

SHA1
7071961dad9b9105849447ef60d8fde2b589d645

SHA256
b6f12cbf7eb26b9d86f434b839dca2a7afc1b6e5a946341112ff426a1d940b76

SHA512
d3ccd66f0e50e20e65f9682f95a3a7d5a70921ed440ce6db880a4e931026fb489024675887671ee706287b5573dfc41887f1754fe2002adebe26166f9d4e29b6

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6c709361edbf6f10d1d3afc751b4c38b

SHA1
bf4a98a30f3bf70f3e96996f69b8ee1d0dc5bec1

SHA256
f2f97f195647db526cfc9d5fc25bc0598d76e4e2a9dd008e48356d2d50cdb588

SHA512
bac4600d5735e17ecccbab25f41aad5127b7199d05762ed2ed6ae4de3927dcbda9a9bb8a37ff4817118d14773a378cbd63729a352dd137755720dc911053d34a

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b9073038834b6141fce98d4adb10a622

SHA1
d6765c38466a82d0fad36c7ea80332996f9232a2

SHA256
e4e234ac36d7a31dfcac8c437cb1a291260116cb9e05a181fd32d72a38efaf25

SHA512
786fa3830c8f60836db5fc48f9d3019e5f3f1a36417f2ea2b81f46fef6d0928422ad8e15364ac1e075254e084ee3018cdb83a8c583520c2c2e6eb7f423b7ef88

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
7b953078e58b51ac4ea7f78ff9a7367c

SHA1
dbc56dccecbbcfc8e6925d3556874f6c3ab490af

SHA256
827e16b660dd9dd608fd9826eb9bc3f0f1dd48be3b7050ccff500d99f97bdc20

SHA512
0a19328cdc514841dba92c990614ac709ff06154d52a6672f245b4d6cbcda440c3431fbca64fd87b30013b95581efc3a8605735f790d66a3416072b0eb371e37

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2f478218f27e6643ebc14503d8486269

SHA1
ff3ddc4ea1b7c97e3306d88bc19c51dfc7aaed82

SHA256
6006af776a2964a8a281276301fa35d20a9607eb5fe37441694429ab02b925ee

SHA512
ba6d9bbe63c4cd79647a38e9445c4f9894786e7960d246459ae8caf75bd9ac4a714fe2c1fb716d819d945e130f64947ca8d7ea9ba52b04a6653c8f044fa1887b

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
7b79073806abd44d90be94ddf682b495

SHA1
b733fb929a1c7cf81ab201ffa5d0e555ac7caaef

SHA256
bb75e2b46cb85570a0419afffc4c64e5154d4ecc437005e9ee46c310153dd433

SHA512
50d030d4d96692c8f711dab5141ef8a3906eca3fe9097667ecfc2fbf10caaa344a5e4a08e29c1e36a61c4def7998d263f7fb4dbfad2d6d0bdb7427f32c542a31

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
78148ab9ea85e62fba7a526b6cc24c83

SHA1
4c49b32a22e2bf7a7053f7ca8af13847311d78b6

SHA256
3e72dd01be5a908743a75c393ac674c38cc261eefa8e5cc9d17da5e721f1e4f9

SHA512
816ef470452cd485155af9f27eac4ac2e0da230b727f45586e57dcee831197e5f974ae47a9a4811aed9ef814cd0846e51d74b9be94505897243813e50b1815da

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
198aef22d44c6d64dad692f64c25735b

SHA1
dad1784544c1d60b56c4955609907ac5d4bac5f3

SHA256
e360ac381ca404f624a634b3f04a702959b7823c362c60f4395dcb2dadfd13d9

SHA512
912ea4c667f602a287bcc234effd81319b1232b75446b49d583825c1babb21280e8426dc0e7231ae632b6a71819822e81b2bed70a42731aa8259e03badf0e7f9

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
29cf726918276e49f45988ff0c75dd4f

SHA1
fd07177c993d5419e78e1566aea68751e73ecce4

SHA256
b2806ba1d1609f45f6baeba36780272435ec2bcb9fed399a32c67d207f9e5330

SHA512
45f5bbe06406d7aea956ecc62d2573bc5f62bbe7696a7cb1e1382acbe2a8d89a2b7b724a611878eadc2e28f4a7bc7201b950c9a7952c5fff49b0166c32313273

Download Submit
memory/868-190-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/868-194-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1472-63-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1472-56-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1472-57-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/1472-83-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1556-872-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/1556-282-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/1744-268-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1744-155-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1808-897-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1808-119-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1808-244-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1968-226-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/1968-103-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1968-111-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/1968-110-0x0000000100000000-0x00000001001D4000-memory.dmp

Filesize
1.8MB

Download
memory/2104-842-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2104-159-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2104-272-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2116-140-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2116-256-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2116-851-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/2144-269-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2144-869-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2216-481-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2216-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2308-257-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2308-361-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2320-100-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2320-96-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2320-90-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2372-669-0x0000000003EF0000-0x0000000003FAA000-memory.dmp

Filesize
744KB

Download
memory/2388-36-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2388-53-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2388-42-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2388-37-0x00000000004F0000-0x0000000000557000-memory.dmp

Filesize
412KB

Download
memory/2568-227-0x00000000005E0000-0x00000000007D1000-memory.dmp

Filesize
1.9MB

Download
memory/2568-843-0x00000000005E0000-0x00000000007D1000-memory.dmp

Filesize
1.9MB

Download
memory/2568-824-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2568-225-0x0000000100000000-0x00000001001F1000-memory.dmp

Filesize
1.9MB

Download
memory/2580-20-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2580-137-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2580-18-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2580-12-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2632-73-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2632-960-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2632-964-0x0000000001D80000-0x0000000001E24000-memory.dmp

Filesize
656KB

Download
memory/2632-965-0x0000000002000000-0x000000000219E000-memory.dmp

Filesize
1.6MB

Download
memory/2632-966-0x0000000001D80000-0x0000000001E6C000-memory.dmp

Filesize
944KB

Download
memory/2632-967-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2632-968-0x0000000001D80000-0x0000000001E08000-memory.dmp

Filesize
544KB

Download
memory/2632-969-0x0000000001D80000-0x0000000001DA4000-memory.dmp

Filesize
144KB

Download
memory/2632-970-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2632-971-0x0000000001D80000-0x0000000001DAA000-memory.dmp

Filesize
168KB

Download
memory/2632-972-0x0000000001D80000-0x0000000001DE6000-memory.dmp

Filesize
408KB

Download
memory/2632-962-0x0000000000ED0000-0x0000000000EEA000-memory.dmp

Filesize
104KB

Download
memory/2632-207-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2632-79-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2632-961-0x0000000000ED0000-0x0000000000EEE000-memory.dmp

Filesize
120KB

Download
memory/2632-963-0x0000000001D80000-0x0000000001E0C000-memory.dmp

Filesize
560KB

Download
memory/2632-74-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/2672-255-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2672-844-0x000000002E000000-0x000000002E1F4000-memory.dmp

Filesize
2.0MB

Download
memory/2728-208-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2728-645-0x0000000140000000-0x00000001401F5000-memory.dmp

Filesize
2.0MB

Download
memory/2844-204-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2844-329-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/2892-5-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/2892-98-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2892-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2892-0-0x0000000000350000-0x00000000003B7000-memory.dmp

Filesize
412KB

Download
memory/3048-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3048-26-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3048-25-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/3048-154-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download