Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
35937438978a3dcd558ce62f7391cf3c
-
SHA1
85a18dd06dc2e9dc8849c71851d29020d6d02d2c
-
SHA256
c133b2c20c0bc18a9d6d8c1bb9be82b52b776b6e83df1bd29a5519969c11524c
-
SHA512
da9a6a1eb2a78f4008087e093a931c31237feb9089663963b00be5a29c9ab262f3598f643d36698cefc70779848baebf5607ea0d644fb6dd8c5c654bd94da27c
-
SSDEEP
196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018/Im:VPboGX8a/jWWu3cI2D/cWcls1H
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exemscorsvw.exevds.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 468 2440 alg.exe 2620 aspnet_state.exe 2392 mscorsvw.exe 2944 mscorsvw.exe 1320 mscorsvw.exe 2200 mscorsvw.exe 1928 ehRecvr.exe 2160 ehsched.exe 2256 elevation_service.exe 1064 IEEtwCollector.exe 1548 GROOVE.EXE 2060 maintenanceservice.exe 2732 msdtc.exe 2940 msiexec.exe 2604 OSE.EXE 564 OSPPSVC.EXE 2392 perfhost.exe 2016 locator.exe 1808 snmptrap.exe 1944 mscorsvw.exe 1780 vds.exe 2208 vssvc.exe 568 wbengine.exe 1752 mscorsvw.exe 2616 WmiApSrv.exe 2020 wmpnetwk.exe 1648 SearchIndexer.exe 1612 mscorsvw.exe 1580 mscorsvw.exe 904 mscorsvw.exe 812 mscorsvw.exe 1164 mscorsvw.exe 2112 mscorsvw.exe 2204 mscorsvw.exe 1688 mscorsvw.exe 812 mscorsvw.exe 1160 mscorsvw.exe 1408 mscorsvw.exe 2336 mscorsvw.exe 2124 mscorsvw.exe 1676 mscorsvw.exe 528 mscorsvw.exe 1216 mscorsvw.exe 2944 mscorsvw.exe 1208 mscorsvw.exe 980 mscorsvw.exe 3036 mscorsvw.exe 1052 mscorsvw.exe 2696 mscorsvw.exe 836 mscorsvw.exe 2884 dllhost.exe 2108 mscorsvw.exe 2548 mscorsvw.exe 976 mscorsvw.exe 860 mscorsvw.exe 972 mscorsvw.exe 1708 mscorsvw.exe 2696 mscorsvw.exe 2028 mscorsvw.exe 1052 mscorsvw.exe 1956 mscorsvw.exe 1752 mscorsvw.exe 1984 mscorsvw.exe -
Loads dropped DLL 61 IoCs
Processes:
msiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid Process 468 468 468 468 468 468 468 2940 msiexec.exe 468 468 468 468 468 744 468 972 mscorsvw.exe 972 mscorsvw.exe 2696 mscorsvw.exe 2696 mscorsvw.exe 1052 mscorsvw.exe 1052 mscorsvw.exe 1752 mscorsvw.exe 1752 mscorsvw.exe 2460 mscorsvw.exe 2460 mscorsvw.exe 2412 mscorsvw.exe 2412 mscorsvw.exe 2992 mscorsvw.exe 2992 mscorsvw.exe 1768 mscorsvw.exe 1768 mscorsvw.exe 1712 mscorsvw.exe 1712 mscorsvw.exe 1840 mscorsvw.exe 1840 mscorsvw.exe 860 mscorsvw.exe 860 mscorsvw.exe 2708 mscorsvw.exe 2708 mscorsvw.exe 1120 mscorsvw.exe 1120 mscorsvw.exe 1008 mscorsvw.exe 1008 mscorsvw.exe 2664 mscorsvw.exe 2664 mscorsvw.exe 928 mscorsvw.exe 928 mscorsvw.exe 808 mscorsvw.exe 808 mscorsvw.exe 2840 mscorsvw.exe 2840 mscorsvw.exe 2348 mscorsvw.exe 2348 mscorsvw.exe 1632 mscorsvw.exe 1632 mscorsvw.exe 1348 mscorsvw.exe 1348 mscorsvw.exe 1120 mscorsvw.exe 1120 mscorsvw.exe 1644 mscorsvw.exe 1644 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 23 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exeGROOVE.EXEmsdtc.exeSearchProtocolHost.exealg.exemscorsvw.exedescription ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 mscorsvw.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\507869cdae4ef42b.bin alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exealg.exemaintenanceservice.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE alg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exealg.exemscorsvw.exemscorsvw.exemscorsvw.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC2E2.tmp\Microsoft.Office.Tools.Outlook.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index15a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP43F3.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3562.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3958.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2433.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2EDD619C-FA1F-4F22-9D6A-894093B7CCC3}.crmlog dllhost.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPB7EA.tmp\Microsoft.Office.Tools.Excel.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3DDB.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP871A.tmp\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3765.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP3360.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exeSearchProtocolHost.exemscorsvw.exemscorsvw.exeehRec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exewmpnetwk.exeSearchFilterHost.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0138259f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060b2035bf4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\pmcsnap.dll,-700 = "Print Management" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
ehRec.exe2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exepid Process 1484 ehRec.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: 33 2960 EhTray.exe Token: SeIncBasePriorityPrivilege 2960 EhTray.exe Token: SeDebugPrivilege 1484 ehRec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 2940 msiexec.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: 33 2960 EhTray.exe Token: SeIncBasePriorityPrivilege 2960 EhTray.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeBackupPrivilege 2208 vssvc.exe Token: SeRestorePrivilege 2208 vssvc.exe Token: SeAuditPrivilege 2208 vssvc.exe Token: SeBackupPrivilege 568 wbengine.exe Token: SeRestorePrivilege 568 wbengine.exe Token: SeSecurityPrivilege 568 wbengine.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeManageVolumePrivilege 1648 SearchIndexer.exe Token: 33 1648 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1648 SearchIndexer.exe Token: 33 2020 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2020 wmpnetwk.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeDebugPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2812 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeDebugPrivilege 2440 alg.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe Token: SeShutdownPrivilege 1320 mscorsvw.exe Token: SeShutdownPrivilege 2200 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid Process 2960 EhTray.exe 2960 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid Process 2960 EhTray.exe 2960 EhTray.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid Process 2764 SearchProtocolHost.exe 2764 SearchProtocolHost.exe 2764 SearchProtocolHost.exe 2764 SearchProtocolHost.exe 2764 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2800 SearchProtocolHost.exe 2764 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exedescription pid Process procid_target PID 2200 wrote to memory of 1944 2200 mscorsvw.exe 51 PID 2200 wrote to memory of 1944 2200 mscorsvw.exe 51 PID 2200 wrote to memory of 1944 2200 mscorsvw.exe 51 PID 2200 wrote to memory of 1752 2200 mscorsvw.exe 54 PID 2200 wrote to memory of 1752 2200 mscorsvw.exe 54 PID 2200 wrote to memory of 1752 2200 mscorsvw.exe 54 PID 1320 wrote to memory of 1612 1320 mscorsvw.exe 59 PID 1320 wrote to memory of 1612 1320 mscorsvw.exe 59 PID 1320 wrote to memory of 1612 1320 mscorsvw.exe 59 PID 1320 wrote to memory of 1612 1320 mscorsvw.exe 59 PID 1320 wrote to memory of 1580 1320 mscorsvw.exe 60 PID 1320 wrote to memory of 1580 1320 mscorsvw.exe 60 PID 1320 wrote to memory of 1580 1320 mscorsvw.exe 60 PID 1320 wrote to memory of 1580 1320 mscorsvw.exe 60 PID 1320 wrote to memory of 904 1320 mscorsvw.exe 61 PID 1320 wrote to memory of 904 1320 mscorsvw.exe 61 PID 1320 wrote to memory of 904 1320 mscorsvw.exe 61 PID 1320 wrote to memory of 904 1320 mscorsvw.exe 61 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 1164 1320 mscorsvw.exe 63 PID 1320 wrote to memory of 1164 1320 mscorsvw.exe 63 PID 1320 wrote to memory of 1164 1320 mscorsvw.exe 63 PID 1320 wrote to memory of 1164 1320 mscorsvw.exe 63 PID 1320 wrote to memory of 2112 1320 mscorsvw.exe 64 PID 1320 wrote to memory of 2112 1320 mscorsvw.exe 64 PID 1320 wrote to memory of 2112 1320 mscorsvw.exe 64 PID 1320 wrote to memory of 2112 1320 mscorsvw.exe 64 PID 1320 wrote to memory of 2204 1320 mscorsvw.exe 65 PID 1320 wrote to memory of 2204 1320 mscorsvw.exe 65 PID 1320 wrote to memory of 2204 1320 mscorsvw.exe 65 PID 1320 wrote to memory of 2204 1320 mscorsvw.exe 65 PID 1320 wrote to memory of 1688 1320 mscorsvw.exe 66 PID 1320 wrote to memory of 1688 1320 mscorsvw.exe 66 PID 1320 wrote to memory of 1688 1320 mscorsvw.exe 66 PID 1320 wrote to memory of 1688 1320 mscorsvw.exe 66 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 812 1320 mscorsvw.exe 67 PID 1320 wrote to memory of 1160 1320 mscorsvw.exe 68 PID 1320 wrote to memory of 1160 1320 mscorsvw.exe 68 PID 1320 wrote to memory of 1160 1320 mscorsvw.exe 68 PID 1320 wrote to memory of 1160 1320 mscorsvw.exe 68 PID 1320 wrote to memory of 1408 1320 mscorsvw.exe 69 PID 1320 wrote to memory of 1408 1320 mscorsvw.exe 69 PID 1320 wrote to memory of 1408 1320 mscorsvw.exe 69 PID 1320 wrote to memory of 1408 1320 mscorsvw.exe 69 PID 1320 wrote to memory of 2336 1320 mscorsvw.exe 70 PID 1320 wrote to memory of 2336 1320 mscorsvw.exe 70 PID 1320 wrote to memory of 2336 1320 mscorsvw.exe 70 PID 1320 wrote to memory of 2336 1320 mscorsvw.exe 70 PID 1320 wrote to memory of 2124 1320 mscorsvw.exe 71 PID 1320 wrote to memory of 2124 1320 mscorsvw.exe 71 PID 1320 wrote to memory of 2124 1320 mscorsvw.exe 71 PID 1320 wrote to memory of 2124 1320 mscorsvw.exe 71 PID 1320 wrote to memory of 1676 1320 mscorsvw.exe 72 PID 1320 wrote to memory of 1676 1320 mscorsvw.exe 72 PID 1320 wrote to memory of 1676 1320 mscorsvw.exe 72 PID 1320 wrote to memory of 1676 1320 mscorsvw.exe 72 PID 1320 wrote to memory of 528 1320 mscorsvw.exe 73 PID 1320 wrote to memory of 528 1320 mscorsvw.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2392
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 258 -NGENProcess 260 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 24c -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1164
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 274 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 1f0 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 254 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 294 -NGENProcess 2ac -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 294 -NGENProcess 2a8 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:836
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 208 -NGENProcess 1e4 -Pipe 200 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 254 -NGENProcess 248 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 22c -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 248 -Pipe 1b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 258 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 26c -NGENProcess 260 -Pipe 1bc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 264 -Pipe 22c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1052
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 27c -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1752
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 264 -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2460
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"2⤵PID:1088
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1e4 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2412
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"2⤵PID:720
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 294 -NGENProcess 28c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 1e4 -Pipe 290 -Comment "NGen Worker Process"2⤵PID:2840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"2⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 208 -NGENProcess 274 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 29c -NGENProcess 2ac -Pipe 288 -Comment "NGen Worker Process"2⤵PID:1728
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 26c -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
PID:1840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 2a8 -Pipe 208 -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 26c -Pipe 2b0 -Comment "NGen Worker Process"2⤵PID:2648
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1208
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c0 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"2⤵PID:2816
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 2b4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1008
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2a4 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"2⤵PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2b8 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b8 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:2400
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 26c -NGENProcess 2bc -Pipe 2d4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:928
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2bc -NGENProcess 2c4 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2e4 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵PID:1636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:1088
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"2⤵PID:1604
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d0 -Pipe 294 -Comment "NGen Worker Process"2⤵PID:1164
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 2e0 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:808
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2ec -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2fc -NGENProcess 2c4 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e4 -NGENProcess 304 -Pipe 2ec -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2348
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2fc -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2dc -Pipe 2f8 -Comment "NGen Worker Process"2⤵PID:928
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:1736
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 2dc -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 304 -Comment "NGen Worker Process"2⤵PID:2364
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 31c -NGENProcess 318 -Pipe 2fc -Comment "NGen Worker Process"2⤵PID:1436
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 324 -NGENProcess 2f4 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 30c -NGENProcess 308 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:2600
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 32c -NGENProcess 318 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2f4 -Pipe 310 -Comment "NGen Worker Process"2⤵PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 308 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:1580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2f4 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:1068
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 340 -NGENProcess 308 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2428
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2f4 -Pipe 330 -Comment "NGen Worker Process"2⤵PID:904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 308 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2f4 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 354 -NGENProcess 350 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:940
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 340 -NGENProcess 2f4 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:1724
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 348 -NGENProcess 34c -Pipe 364 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 354 -Pipe 360 -Comment "NGen Worker Process"2⤵PID:2452
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 368 -NGENProcess 2f4 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:2656
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 314 -Pipe 358 -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 354 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2f4 -Pipe 35c -Comment "NGen Worker Process"2⤵PID:884
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 314 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:2244
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 374 -NGENProcess 384 -Pipe 378 -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 368 -NGENProcess 354 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:1504
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 388 -NGENProcess 37c -Pipe 350 -Comment "NGen Worker Process"2⤵PID:1096
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 384 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:2216
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 368 -NGENProcess 390 -Pipe 388 -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 398 -NGENProcess 384 -Pipe 394 -Comment "NGen Worker Process"2⤵PID:2944
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 37c -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1852
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 390 -Pipe 374 -Comment "NGen Worker Process"2⤵PID:1768
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 384 -Pipe 354 -Comment "NGen Worker Process"2⤵PID:2764
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 37c -Pipe 2f4 -Comment "NGen Worker Process"2⤵PID:972
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 3a0 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"2⤵PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 368 -NGENProcess 37c -Pipe 398 -Comment "NGen Worker Process"2⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3ac -NGENProcess 3b8 -Pipe 3a0 -Comment "NGen Worker Process"2⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 314 -NGENProcess 37c -Pipe 39c -Comment "NGen Worker Process"2⤵PID:2164
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 3bc -NGENProcess 368 -Pipe 384 -Comment "NGen Worker Process"2⤵PID:2532
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 3c0 -NGENProcess 3b8 -Pipe 390 -Comment "NGen Worker Process"2⤵PID:2636
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 37c -Pipe 3a8 -Comment "NGen Worker Process"2⤵PID:1480
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 368 -Pipe 3b4 -Comment "NGen Worker Process"2⤵PID:2904
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 3b8 -Pipe 3ac -Comment "NGen Worker Process"2⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d0 -NGENProcess 37c -Pipe 314 -Comment "NGen Worker Process"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 368 -Pipe 3bc -Comment "NGen Worker Process"2⤵PID:940
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3b8 -Pipe 3c0 -Comment "NGen Worker Process"2⤵PID:2596
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b8 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c4 -NGENProcess 3dc -Pipe 3c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1348
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3d8 -NGENProcess 3e8 -Pipe 3b8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3b0 -NGENProcess 3dc -Pipe 37c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3e4 -NGENProcess 3f0 -Pipe 3d8 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 368 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1644
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 3dc -NGENProcess 3ec -Pipe 3b0 -Comment "NGen Worker Process"2⤵PID:1556
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f8 -NGENProcess 3f0 -Pipe 3d4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2572
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3fc -NGENProcess 3f4 -Pipe 3c4 -Comment "NGen Worker Process"2⤵PID:2112
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 3f4 -NGENProcess 3dc -Pipe 3ec -Comment "NGen Worker Process"2⤵PID:2260
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3dc -NGENProcess 3f8 -Pipe 40c -Comment "NGen Worker Process"2⤵PID:2232
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3cc -NGENProcess 408 -Pipe 368 -Comment "NGen Worker Process"2⤵PID:2032
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1064
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2604
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:564
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2392
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2016
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1808
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1780
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2616
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
- Modifies data under HKEY_USERS
PID:1680
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5286676e032c5519858609c34b11d87ef
SHA10a05b985e693e83e43970c24ea2559886cfe73ac
SHA2562690cf8e6acd596792a73048cbcd38432784ca6912b0ff27bdb39799e907b14c
SHA512bd9fa0592796895bf091601e0ecffb2d28935a19978690cd2f52bb4fee3fe7d7e6deb866fc8ec8fd6c376b9aa5aff7f06d98b6e7ee01e4f7ab2e5a27595179bb
-
Filesize
30.1MB
MD5d5f3964ddd5666196f3a6df7d8ae5242
SHA16e6f4f5121024594c11e8d5d07c610b1da5988c8
SHA2564f4cf66ab48b175cb43c3946ab9f08cd044c88234a7b4ba1e61783fdf4cd3a79
SHA5126ea2967f932fdc22d4612a3045fd330bed1b8fa376a93085f97bb8e8c7a4d0e732e90df9a4b0ff931e747494e4a192ee4210632843cc118f1b878047a8ee5735
-
Filesize
781KB
MD565d37c181e008c6b915550923aa98201
SHA1ebc267d0132b25bcdae0b8559104fa1b86a27646
SHA256e2fe6e79c2a5a2b15e231c30155a8052611373d7ab4e654a0d317e123523f558
SHA512e1290de6e146f573f170b59e8970a6a9624461115a0918498d892e2aadeb8e4915aa8b88fe56a7de6d191f6c1f3fbfae106ada18855e214e13c49b8d144b34b6
-
Filesize
5.2MB
MD5a11d643bff6e1f5a0e246c1b8d45e637
SHA18aea2d1007e56d2ad3fd8f6f1ac495cdf3b401eb
SHA2569fc60f7dbdfca87fc0a646f50aa708d9a31b96bd4958aa6088e428ff308e5f8b
SHA512e3da1a5ef40fc0916af8e9df4f683f72a26a30446c1616ff33891b8e495daaa709691ab751e764fc9755c09b7f607fe1d827245f9d66764463755f85d94dbbce
-
Filesize
2.1MB
MD51de71b84a367ce424ded458a306f1df9
SHA139b6d9a8497b462a2249e5e92d28545375ec4d3d
SHA2567484d82bd91e5c6e8956fa9a3bb4704ce644bb93f53f4cee5b25829d07596056
SHA5126552075140f3c1724b1089f15d4ac2b66446cfa637c1cabe61181db8ccff76aab52fd6da7d93f011d8281d808f1d011ca8c629f7892a0f898459332be191b3c3
-
Filesize
2.0MB
MD540f54b0d04039c6b8087c3021f8c77ad
SHA18a69dea92211bb7d004476d8a790bcaa6e1cb2c0
SHA256375f8515188038cfe0c3f5682def5f4342bf8885b6915ac31d1f028d7617921c
SHA5123200d5e0a3113c03ea4d954f66e20d57744ce474cad541243804795310d27d756004e79e1f56fca1b313d8db352baea91acf91173d9de3e0c8849d2adc9b4ee2
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
648KB
MD506d7ef22b3cd101349da624936fcd816
SHA1000057de0092d0ca77a21ae7e7a5343693030c8c
SHA25668f09a06a1ad6081582a0153fa4ffc887736a52d8d909f8929e0b29ec5af635e
SHA512b06ea02686d3b902fd63f6624ac666efd6e2edbe0f4111e043ec849fc4136042c3caead95c35c78dc5be94d3e58645a3023a8d51e6fe6d504a8d9c0a1ace5eea
-
Filesize
872KB
MD5799dfa18204925159b6aa4f2e483e8c7
SHA14448788f4b4a4550033f30e9f255a2ed7dd9d939
SHA256356461af976cdfa7ca0edd71d1af67ebfb6a470a17a044dd5e3b0f9a321d3cd1
SHA5125b8f062d6a38e5ed8e17813b8ec6dcdb2adb7f9bb962c3a812f59ee52e92cbf00724376b11f1676269464cf4d12b715252dd877692d962a5cf8d8057a53bb12e
-
Filesize
603KB
MD53d6252cf89042a0ffbd0f597b6300975
SHA1e70db98f49eca11751cbc009e2641806d7c8a432
SHA256e7cbcb8da1ce3cecf18c9cfd6686e52b90b5d2b3a9924beb1c8223cc46c7b676
SHA512b02778db084624acd351c79f9dcbc799a61d7e68756cb839380367c9cabc439c293fcdd300ff494e3105cf876d085b0a0ab2d3ebf93d6de3e1b8e71f6e93415a
-
Filesize
678KB
MD5a2cc578a3c2c81fbefdbf5511536becc
SHA1bcaa14a282eaf959e3303eb55f4d790f4dd102ab
SHA256cdfb2b7c3cc722c7991ed15c95c3ea3cdc077d88fa92b23b688f00dfbbeb53bb
SHA512c1fa8e645e83d3d6caca82a3368288d9973648a534e487cb210128471e625ba938a920f8d5cbdc9fc8dd78a67e339841f353638b6e70577fae09dc3797193fc3
-
Filesize
8KB
MD586c10c4d957d32998ca4f46f916950e9
SHA17a2af44de3136e2a803bf1c99d9099ae0548ddfa
SHA25651a269cd06e974c2bb933ba66c67c14ec72072bcc6031b9bdeb0b92a30757484
SHA512c43b8ff16904df320bc12141551986c4d869d0c8a2487b79387874ab70c1b2c72651518ca17a2da86a75a3e559e3084d9b9b6e7f29296c1a089321cea4ae6d4e
-
Filesize
625KB
MD5ca391aa42f000e20b3f6825a5c10daac
SHA140dcdea477312ce3e9e0ca0854e3363a8dc80207
SHA256f028bad894a5a70f9af2bebd17ce18e2e6129ed4b2c55fa2af66d0c64f591e23
SHA512ec66f91401ce83c33525ae59b77314abce281bf3a38a4ed91bba30813782673f3a8b825402759060db1358fde91d551d1ef2370d3a790d277d41bfe0d4207cdf
-
Filesize
1003KB
MD523b871113e8da67c2bafebf36cdfa44b
SHA1c05105c8a6b6dc85c9318c4f33373b7646bb546e
SHA256add230fcfe3ad3bc44cd405457214fbc2d564abeeaf86ed8571c2a16d5995cf9
SHA512570923dc789d2e6d2bbed01d9eef596c5ae4713413c2ccbe2f8f264c2e2b6067fb57086fa74497218f36980f40eaece2a759484a464f6af74541afc0bfe57e7d
-
Filesize
656KB
MD5f0d70d6f93c98e1105e2c3d798648376
SHA1500eaee0a40c08e13d25f2a6bfb342c33e57c510
SHA2566434393bada79a890dd23c9065b8529d2c2f9cb05b814d52241535c149047c7c
SHA512b2c79a9cd8116b88d51389948ee4102c6b0a99f68078c57bb06796bee98f92e3bf4e4039a2211e2158fb2ef2d0ea26538216a25579c3641a481cfd705fad78de
-
Filesize
587KB
MD555d5c152fe77d12dcf413b8ea906a309
SHA10054bf10c9f29b7e97f0cb72580984cf402291e5
SHA2562e47b70d94664f6575698bb96dd657827dc4580a2efa1d30b9c20b5dfd402ff7
SHA5125902558528639066d52c41bb51f3e1b763627af2c1a44d9896bf4d64e1d5913c9eadc0851273cda42096a87ad369f4d4dd615883507161dd8afbaf03442a93e7
-
Filesize
1.1MB
MD597806594c1fccd635e45a08909f5f9ca
SHA1f8d72ca68817c511107bbddaa96efaa0f0c32eb9
SHA2566f3a99a860c931c3532092279ee3a2e744b5c7649a19f3b2913d02247b05f386
SHA5126ffc204ddcdb63f0bda5815b349f78131c6fe4b9606a63ab1644ade5c4d647fe9747aab5ea21840b9141f61667e45787b0465bd6f336fbd76a673b048fc28ea4
-
Filesize
2.1MB
MD563f54f9191a4c90029e0f44409764976
SHA1d526eb8165d6a8a8fd5da6b3d3591bc9e4135318
SHA25632e87d271cdb0a86744a8e0ad4d51a9c6ab4550b863ead406d0e140d55a9025c
SHA512bf430980e22971df24b4404da5a507455cfde48d8cb6be2635220b3cd83ca8c45a5b4ce2c65b5d99408093f858d7514813bcd27203fd8b974d9f65c04bca4693
-
Filesize
644KB
MD5d3d80e66072215632cf18eab60e24cab
SHA106034b69aa730e4bdba5e178ec1a8e72caab6707
SHA256862e44b4d43577a4b1dfb988a5f1664b3cba91b928e7ff2e04384a613c3b03aa
SHA512303683145b5350a5500aab6728cdf859380450146d8c1b11ffe5459d5edee39d9b0053da4201284e8647743e56a81d557499266841682edebf3050dfd4ed61a8
-
Filesize
674KB
MD548eaff6ee10533463682cbf5e7ce8a3c
SHA109c66e9deae5060bc0695210f7772564b74cbb59
SHA25622537585e8b33b64d31fd67989fcc0efd2f927d0654adad2d3951ea050bdc231
SHA51299c6d337cb2d38b111ad354530ab80b371ef0e395851d1ac1e1ab8467e843265ce3a86a19fd33706ef9d7427b80887be0309d02497451e7568fb0bfcea0b8647
-
Filesize
705KB
MD56b9c50e5e2dda5ad725bc0f0b8179674
SHA18f3c1e40eb1e4c7824cdbfff151e73abe875a125
SHA2568aec8a280e19f746df45011c2ff3c1997358c5515bb6f1938c427111f3df25cc
SHA512038d8bb7d70cc139145f3454d39aa54d286b091413e1f9f893b2fd7a54c276ddc0ad794cf6bb416bcfa623f2e4e6f1a32b9faa819be5c658f7f1e616b48e2c09
-
Filesize
581KB
MD53aabf5e3885546f19b34f8e634435b5b
SHA16e255ddbdf828bf2202929fe8051ec10d4a0536d
SHA256293cb4b5a5ee66a87b315f34e7cfb769925be3107e1438caf832f710335b5d51
SHA512a3c493fb7fea13888362bf82012433debe9c69f121d40cdb994fd4a82d9113655c5fddfb7b8d9cf89e5d3dac0843ed341b09def4e2a18e112d9b33682e06fb95
-
Filesize
1.1MB
MD510d3ee1fd6f40f9f26cb4f8695fbab8b
SHA16d39f061429ddd4289f9f1bc2c16775b7c409b44
SHA25696d239df30e7cabde4ad449646b624a341420dbcd6bbcf39aa81663bc247da84
SHA512f68ad1f2bb8da5b05ef1e8b98a82a77575537463a3343fe0fc64d105acb9db693d5c6b12d0befd11b1cce28b704f86d7bd992d6b216590b6b078d7cdd13a3f98
-
Filesize
765KB
MD5f7e3de5e622479a4e9edaa0d77a6af35
SHA1688de96fa058b8dcf9451b7bba2ad2a09adfbdb4
SHA256139625b307c920074f7139122d8fafcbffdff2a76920e89884390cc209f55dd5
SHA512459982a75b492700c47e3a8dc7a9cf5b327d8073dfddf47a767faa6198e37379605832388847f9b1c47f01facf441b004a03c721c170066dc2d9cfc65e5223f5
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll
Filesize105KB
MD5d9c0055c0c93a681947027f5282d5dcd
SHA19bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA5125404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll
Filesize1.1MB
MD57835e60e560a49049ae728698da3d301
SHA187b357b1b3c9a2ad2f3b89b10a42af021ab76afe
SHA256df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa
SHA512b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll
Filesize238KB
MD50a4ed78b7995d94fa42379f84cd5f8e9
SHA190ba188fe0ebd38ad225e7ce3a24dd9b6b68056b
SHA2560a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86
SHA51286ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll
Filesize248KB
MD54bbf44ea6ee52d7af8e58ea9c0caa120
SHA1f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll
Filesize1.8MB
MD59958f23efa2a86f8195f11054f94189a
SHA178ec93b44569ea7ebce452765568da5c73511931
SHA2563235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6
SHA5123061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll
Filesize1.0MB
MD5598a06ea8f1611a24f86bc0bef0f547e
SHA15a4401a54aa6cd5d8fd883702467879fb5823e37
SHA256e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512
SHA512774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD53d6987fc36386537669f2450761cdd9d
SHA17a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA25634c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA5121d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize205KB
MD50a41e63195a60814fe770be368b4992f
SHA1d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA2564a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA5121c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize43KB
MD568c51bcdc03e97a119431061273f045a
SHA16ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA2564a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize198KB
MD59d9305a1998234e5a8f7047e1d8c0efe
SHA1ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA51258b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize70KB
MD557b601497b76f8cd4f0486d8c8bf918e
SHA1da797c446d4ca5a328f6322219f14efe90a5be54
SHA2561380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA5121347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize87KB
MD5ed5c3f3402e320a8b4c6a33245a687d1
SHA14da11c966616583a817e98f7ee6fce6cde381dae
SHA256b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\93f1160b7dd5fb5e2302d0d40a779a93\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
Filesize305KB
MD573686c9e1615cb7940a1e891fe42a0e8
SHA1b67c449d9c279a493239e1abb13f659f6799e5b5
SHA2560d5d1d66a121ac9d75a17b2f440e93d1239636acebefe04fb3880f8537f256d0
SHA512c8bc0847ebad8fbee93a19ab3eed2488d00731c8f6607b062d5b10143265b75596f93ebe71d1ebde52d6c7485ead966de18d3bdbe38e0b24f9241195ee25d5d9
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize82KB
MD52eeeff61d87428ae7a2e651822adfdc4
SHA166f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA25637f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize58KB
MD5a8b651d9ae89d5e790ab8357edebbffe
SHA1500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA2561c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aed73bfbba16cde52a8eb5deb16afb71\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize271KB
MD53d86be1fd7212105a0c4db9538c7665f
SHA1fddf4cc86473e089ecdefc6f5d099ee978338380
SHA25630e695790a97df1d6e37537fc14d20d88946818b4726322eecdcaf5b01cd4367
SHA51225240d6cf2b8e4ec198f536fdaf17f335b6dc5a3df482a0878ab53ff87f93b319f5dc50dfe908264bbe8ece1a3f4a3027a84dbdf3c1f3e0011a141e1049ffa50
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize85KB
MD55180107f98e16bdca63e67e7e3169d22
SHA1dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA51227d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize298KB
MD55fd34a21f44ccbeda1bf502aa162a96a
SHA11f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA2565d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA51258c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f44bca87becb36a598662d6423dee1ca\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize122KB
MD54c007cdd363e007fc45d6f59506199ab
SHA1cb14f1f1138045fbd8aa2c108a064a8382d74a0f
SHA25697b8118d4e2289e82ac5c15c8d51d6bc1fd938207537a3d3c237c8fce4331e26
SHA51291148efda5466cefeae0a9f989bdc5a9e2656092832dec32aed46d544379252492cd301d699c5912b89cde0f05549bc82db70cd08cf462bda3e6d17b65d1495a
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f849cafdd4a46b1ee69469febecb5601\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize221KB
MD563ab61c41cc3a7c75adfb345c1e8354e
SHA14e48eed60df1ece915d45b2d0d443c6c28089b08
SHA256eb3208f5384cb1105ade7e6339321ece488f3b2082e2d50d33f46ff93a22bad9
SHA51276628357623c764f2f175bf3fd4f035b0ca765ecaddd1bc96d99f8f24b9e92cf3261706416247c5f538b37db936b4374dbfea48485e4c75995ef9e9a4e38c08d
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize43KB
MD5dd1dfa421035fdfb6fd96d301a8c3d96
SHA1d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA5128e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll
Filesize124KB
MD5929653b5b019b4555b25d55e6bf9987b
SHA1993844805819ee445ff8136ee38c1aee70de3180
SHA2562766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll
Filesize2.1MB
MD510b5a285eafccdd35390bb49861657e7
SHA162c05a4380e68418463529298058f3d2de19660d
SHA2565f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA51219ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452
-
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll
Filesize88KB
MD51f394b5ca6924de6d9dbfb0e90ea50ef
SHA14e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA2569db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476
-
Filesize
1.2MB
MD51d074d1e0a2f77963af469d21924b0fe
SHA1cf7a9e715ff6b40e6d5cbd1785b9570fc8ec6874
SHA256598f87e3b74578cd0fb28df3a7a3456cf3967ccce27b2edb13d69130deba9e8a
SHA51277ac758a9b33f0e6fb9f14b9323d0d55458aee003b27fcb169f81e23b8b852ac90086260a15849c9cc504eca0d982f19a8a332f6354c99e6509917f760a7ea25
-
Filesize
691KB
MD5ca933faa03074b3e831be53a333bd670
SHA14c97281f1ed555e0fcb67260e7cabe53999b7815
SHA25691c706236ac4f9706100dee26d526f7d38760609be255fc90c4910e6e0e96c4e
SHA5128f16f84d516461b67715e636a4e74f09b85d48926d65e006b72f9997147dbb66bcc1dcf5e3bf5921f355f5cbc97a54e9964000362371cea64b2a17aaec2243ff
-
Filesize
577KB
MD5b17fa156377e5b3a51a1d56ed903a7ff
SHA1761a55051aafbe5925d1550b81f9cbc2db642700
SHA2560c0af1a7e4516a75af22aebd761d539bd610d1dcf0b70b79fee4651b07a1a11a
SHA5121b4c36507ceb56788eb91b2562fcb466bb1154b4128e27e6107d376d7b368953b77577f2318285fae45c061f9e34d379caf4ea09147b05e82121c980ac0f1da1
-
Filesize
691KB
MD556c7514236d4a8743510ec395d53938a
SHA180c97284abc82fc02f33e4e81eb2ef22d77491e3
SHA2562d80b03986f82ec44c62b9de136c17afc33782635c43a519dad3f868902820ce
SHA512c2c92960943ba8dcc74229313fed0856737dd7f511b7babaac1efb04a3bc70b9726a0c77204f0408f03248d4f05b535aee3ef4048de8d47a1dcc5c8f9780484e
-
Filesize
2.0MB
MD592681580a2264b3adadac456ccbf4ef5
SHA12e8818e0be57519fde01f6d4b764ae151f5fc04d
SHA256f00447fa38355018aecdaddd5f446b65ca3984dd2bc3b1580214f6a71255b6a4
SHA5128353e71a3c1092fada8feb6b99561befb66291239f66424e33480614dfc23e454c5eef2fc5b08bc1f856e740a0bebf3504ad0ef01c5e397f4ebab20ebec75640